{
: :}
For instance : {<0xFFFE>
: :<>}
file: file type; code: encoding pattern; header: file head; body: file content; trailer: file tail. (1) Word Document Structure Word file’s structure is more complicated than the txt file’s. It is made up of several virtual streams including Header, Data, Fat Sectors, MiniFat Sectors and DIF Sectors. Word pattern is as follows: {} (2) PDF Structure Generally speaking, a PDF file can be divided into four parts. The first is file header, in the first line of the PDF file, specifies the version number of a PDF specification that the file obeys. The second is file body, the main part of PDF files, which is formed by a series of objects. The third is cross-reference table, an address index table of indirect object, which is used to realize the random access to indirect objects. The last is file tail, which declares the address of the cross-reference table, points out the file catalog, so
Data Recovery Based on Intelligent Pattern Matching
195
that the location of each object body in PDF file can be found and random access can be achieved. It also stores encryption and other security information of the PDF file. PDF pattern is as follows: {} 3.2
The Definition of Feature Pattern Library
Feature pattern is seen as an ordered sequence composed of items and each item corresponds to a set of binary sequences [7]. During the pattern matching, items can be divided into three types according to the role they play. They are feature item P, data item D, optional item H. 1) Feature items P: To identify common features of different files, such as the feature item of A Word file always begins with 0xD0CF11E0. 2) Data items D: To show the body of the file. 3) Optional items H: the data used to fulfill the integrity of file. 3.3
Pattern Library Generation
The processes of pattern library generation are listed as follow steps. Firstly, compare different files with the same type and generate candidate pattern set; Secondly, apply it to the procedure of training data recovery; Thirdly, compare the recovery result with the original file in order to evaluate the candidate patterns and then screen out patterns which meet the requirements; Lastly, the pattern library of this type of file is achieved. There are three files provided, they are 1.doc, 2.doc and 3.doc. Three patterns can be obtained after binary comparison with each other. The three patterns are E1, E2, and E3. E1 =P1 H1 P2 D1 H2 ........Dn Pn E n E2 =P1 H1 P2 D1 H2 .......Dn Pn E n E3 =P1 H1 P2 D1 H2 ........Dn Pn E n 3.4
Cluster Analysis of Pattern
(1) Pattern Similarity Calculation The pattern generated by existing files is an ordered sequence of items which are made up of binary sequences. With pattern E1, E2, the definition of similarity is Sim ( Ei , E j )
:
Sim ( Ei , E j ) = max( Score (Comm ( Ei , E j )))
.
In
the
definition,
Comm ( Ei , E j ) is the common subsequence of Ei and Ej . Score (Comm ( Ei , E j )) is the
score of the common subsequence. (2) The Definition of the Common Subsequence Score There are two given sequences A={a1, a2, a3.....an} and B={b1, b2, b3......bn}. If there exist two monotone increasing sequences of integers i1< i2< i3......< in and j1< j2<
196
J. Yi, S. Tang, and H. Li
j3......< jn satisfying aik=bjk=ck (k=1,2.......), then we can call C={c1, c2, c3......cn} is the common subsequence of A and B, and C can be denoted by symbol Comm ( A, B ) . The expression of common subsequence score defines as follow: n
Num (Comm ( E , E i
Score (Comm ( E i , E j )) =
j
))
i , j =1
| E i | + | E j | − Num (Comm ( E i , E j ))
Among them, Num(Comm ( Ei , E j )) denotes the account of items contained in the Comm ( Ei , E j ) . (3) Set the Similarity Threshold According to threshold, patterns are classified and form the pattern library of corresponding documentation. For instance, txt pattern library: {E1, E2}, E1= D1 (When txt is stored in ASCII, store the file body directly. P= {}); E2= P1 D1(When txt is stored in UNICODE or UTF8, the file begins with 0xFFFE, that is, P1 = 0xFFFE ); (4) The Classification of Sector Data The current file system is distributed by clusters and a cluster as the smallest units; moreover the cluster is composed by many sectors. Typically, the size of a sector is 512 bytes. However, in order to exclude the affection of file systems, this system recovers files in sectors. Furthermore, since most files are not stored continuously, it is necessary to match the data on sector with the feature pattern library one by one in order to determine the file type stored inside. If the data A of a sector is given, to determine which type of document the sector data belongs to and make P ( A S ) maximum, then Sˆ = arg max s P ( A S )
According to Bayesian formula P ( S ) P( A / S ) , P ( A) is constant when A is given, therefore, S = arg max S P ( A) S = arg max s P ( A / S ) P ( S ) . According to the result, the ones with the maximum probability can be classified into certain kind of file. However, this method does not include the match of data items D, because data items are abstracted from file body, while the body of the document is uncertain, so it will not be able to measure the matching degree. Consequently, with regard to the process of data item, the main idea is to determine its property determine its properties by checking its encoding mode and the context of its neighbor sectors. So, S n = arg max{P ( S n −1 ), P ( S n ), P ( S n +1 )} . (5) Pattern Evaluation After comparing the result of data recovery with standard document, we can divide files into successfully restored ones and unsuccessfully restored ones according to the result matched with pattern E. So, we can calculate the credibility of selected pattern E [8]:
Data Recovery Based on Intelligent Pattern Matching
R(E ) =
197
C orr ( E ) C orr ( E ) + E rr ( E )
Among them, R ( E ) is the credibility of the selected pattern E, Corr ( E ) is the number of files which are successful recovered by selected pattern E, and Err ( E ) is the number of files which are unsuccessful recovered. According to the result, patterns are sequenced and the one with higher credibility will get priority.
4 4.1
Recovery Process Recovery Process
By analyzing the internal structure of documents, a data recovery method based on pattern matching is proposed. It combines feature pattern of files with data association. (Figure 1) Sector Data
Pattern matching
Feature pattern Library
Encoding set
Data classified by format
Re-matches, to determine the location of the data in the text Data Recovery
Output
Fig. 1. Data recovery flow chart
4.2
Solving Data Conflict
Data conflicts are mainly caused by the fact that there is more than one file with the same type on hard disk. The conflicts have two kinds. One is the data which has almost the same similarity with pattern matching and the other is the data which cannot match with pattern matching. For data conflicts, an approach based on context pattern is adopted [8]. The context pattern is seen as an ordered sequence which is composed of neighbor sectors where the data is stored, i.e., W-nW-n-1...W-2 W-1 W1 W2...Wn. represents data conflict, W refers to context data of PN, n represents the index of the sector.
198
J. Yi, S. Tang, and H. Li
Algorithm processes are as follows. Set the similarity threshold l=0.5, n=1, n<8 1. 2. 3.
5
Expand data PN into W-nW-n-1...W-2 W-1 W1 W2...Wn; Match with the feature pattern library, if l <0.5, then n ++, and return 1. If n ≠ 8 , W-nW-n-1...W-2 W-1 W1 W2...Wn will be classified, the position in the pattern is recorded; If n = 8 , it means that there is no appropriate place, then the data on this sector will be treated as useless data and been abandoned.
Experimental Result and Analysis
Feature pattern library is generated by 3 txt documents, 6 word documents and 6 pdf documents, and the pattern similarity threshold S = 0.4. After making internal testing on generated patterns, six of them are selected to form feature pattern library. It includes 2 txt patterns, 2 word patterns and 2 pdf patterns, respectively named E1, E2, E3, E4, E5 and E6. A hard disk and both a new and an old USB flash disks are selected to make Raw and formatted recovery respectively. Each disk has 10 files on it. The results are showed in Table 1, Table 2: Table 1. Result of Raw Data Recovery Based on pattern Matching Disk
Size
Number of recovery files
successful rate
New USB flash
128M
8
80%
USB flash disk
128M
14
50%
USB flash disk
256M
20
30%
Hard disk
5G
31
10%
disk
Table 2. Result of Formatted Recovery Based on pattern Matching Disk
Size
Number of recovery files
successful rate
USB flash disk
128M
9
60%
USB flash disk
256M
13
35%
Hard disk
5G
25
90%
As we can see from the tables, the recovery result of a new USB flash disk is the best. It is because the majority sectors of a new USB flash disk have not been written
Data Recovery Based on Intelligent Pattern Matching
199
yet and most files are stored continuously. This reduces the conflicts on data classification, and it is convenient for pattern matching. While the disk has been used for a long time, the sector data becomes very complicated because of the increasing number of user operations, which will make the matching more complicated. It is obviously that the effect of file recovery is related to disk capacity and serving time. The larger disk capacity and the more files it stores, the more conflicts would be caused on data classification; the longer serving time, the more complicated the data would become, which results in more difficulties in pattern matching.
6
Conclusion
Making full use of data on free sectors, data recovery based on intelligent pattern matching has a good effect on restoration of text files, provides a new approach to the development of data recovery software in the future, and also improves the efficiency of computer forensics. However, there are lots of works to further improve, including to improve the accuracy of extraction of feature patterns, to expand the scope of the pattern library, to further improve the intelligent processing of related sectors, to extract the central meaning of the text and enhance the matching accuracy. Currently this approach only deals with text files, but it is feasible to expand the scope to other files because other files also have their own file formats and encoding patterns, based on which their characteristic pattern library can be developed. With this data recovery approach, the data utilization ratio of free sectors can be enhanced, the risk of data loss can be reduced and the recovery efficiency can be improved.
References [1] Riloff, E.: Automatically Constructing a Dictionary for Information Extraction Tasks. In: Proceedings of the Eleventh National Conference on Artificial Intelligence, pp. 811–816. AAAI Press / The MIT Press (1993) [2] Yangarber, R., Grishman, R., Tapanainen, P.: Unsupervised Discovery of Scenario Level Patterns for Information Extraction. In: Proceedings of Sixth Applied Natural Language Processing Conference (ANLP - 2000), Seattle WA, pp. 282–289 (2000) [3] Zheng, J.h., Wang, X.y., Li, F.: Research on Automatic Generation of Extraction Patterns. Journal of Chinese Information Processing 18(1), 48–54 (2004) [4] Qiu, Z.-h., Gong, L.-g.: Improved Text Clustering Using Context. Journal of Chinese Information Processing 21(6), 109–115 (2007) [5] Liu, Y.-c., Wang, X.-l., Xu, Z.-m., Guan, Y.: A Survey of Document Clustering. Journal of Chinese Information Processing 20(3), 55–62 (2006) [6] Abdel-Galil, T.K., Hegazy, Y.G., Salama, M.M.A.: Fast match-based vector quantization partial discharge pulse pattern recognition. IEEE Transactions on Instrumentation and Measurement 54(1), 3–9 (2005) [7] Perruisseau-Carrier, J., Llorens Del Rio, D., Mosig, J.R.: A new integrated match for CPW-FED slot antennas. Microwave and Optical Technology Letters 42(6), 444–448 (2004) [8] Papadimit riou, C.H.: Latent Semantic Indexing:A Probabilistic Analysis. Journal of Computer and System Sciences 61(2), 217–235 (2000)
Study on Supervision of Integrity of Chain of Custody in Computer Forensics* Yi Wang East China University of Political Science and Law, Department of Information Science and Technology, Shanghai, P.R. China, 201620 [email protected]
Abstract. Electronic evidence becomes more and more popular in case handling. In order to maintain its original effect and be accepted by court, its integrity has to be supervised by judges. This paper studies on how to reduce the burden of judges’ task to determine the integrity of chain of custody, even there is no technique experts on the spot. Keywords: Electronic evidence, chain of custody, computer forensics.
1
Introduction
Nowadays, electronic evidence becomes more and more popular in cases handling. Sometimes it is even unique and only evidence. However, current Laws are not suitable enough to treat this kind of cases. Academia and practitioners are devoted themselves to facing the challenges. Besides, experts in field of information science and technology are also engaged in solving these problems, since it is complicated and referring to cross field research. In technical field, several typical models for computer forensics had been proposed since last century. They are Basic Process Model, Incident Response Process Model, [1] Law Enforcement Process Model, an Abstract Process Model, the Integrated Digital Investigation Model and Enhanced Forensics Model, etc. Chinese scholars also put forward their achievements, such as Requirement Based Forensics model, Multi-Dimension Forensics Model, and Layer Forensics Model. Above researches are concentrated on regular technique operations during forensic process. [2] Some of the models are designed for specific environment, and can not be popularized to other situations. In legislation, there are debates on many questions, such as classification of electronic evidence, rules of evidence, the effect of electronic evidence, etc. They try to establish a framework, guide lines or criterions to regular and direct operations and process.[3] However, since there are so many uncertain things need to be clarified, it *
This paper is supported by Innovation Program of Shanghai Municipal Education Commission, project number: 10YS152, and Program of National Social Science Fund, project number: 06BFX051, and Key Subject of Shanghai Education Commission (fifth) Forensic Project, project number J51102.
X. Lai et al. (Eds.): E-Forensics 2010, LNICST 56, pp. 200–206, 2011. © Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2011
Study on Supervision of Integrity of Chain of Custody in Computer Forensics
201
needs time to solve them one by one. It has been widely accepted that current laws lag behind the technology development, and need to be modified or appended to adapt new circumstances. But innovation can’t be finished in one day. One of the main reasons on slowness of current law innovation is lack of seamless integration between legislation and computer science field. Lawyers are not familiar with computer science and technology, when it comes to technique area, they can not write or discuss deeply. On the opposite, the computer experts are facing the same problem, when it comes to law, they are laymen. Therefore, when standing on the border of the two fields, there is no enough guidance telling you what to do next, and there is no explicit rules directing you how to operate exactly. Judges and forensic officers sustain heavy burden when they facing cases dealing with electronic evidences, on one hand they have no enough guidelines, and on the other hand, they have to push cases forward. This paper first considers how to divding duty clearly between legislation and computer science. That is to say which areas are concerned by law, and which ones are left for technique. It is the base of further discussion. Then let things go ahead naturally.
2
Analysis of Forensic Process
In computer forensic, many forensic models are suggested to regular forensic process, which is related to a lot of technical tasks. The models considered more on technique problems. In order to apply these models properly, it is necessary to have forensic officers with strong technical background. On the other hand, from the lawyers’ point of view, this is a legal process and should follow the legal program and must within certain restraints. Considering technique experts’ and legislation experts’ viewpoint, there is no discrepancy between them. Forensic process can be divided into different stages. Technical experts are focusing on how to divide the whole process reasonably and make each stage clearly and easy to manage. Some models introduce the thinking of software engineer into them. Judges concerns more on whether the forensic process is performed under the legal disciplines, whether captured evidences are maintained their integrity attribute, and whether these evidences are relative with the case. Therefore, judges don’t need to be proficient in every detail of forensic process, but they can supervise the chain of custody if necessary. So regardless which forensic model is used, when chain of custody is checked, there should be enough data to prove whether the integrity is held or not. Of course the supervision needs technique support. But it doesn’t mean if there is no technical expert on the spot, the supervision task can’t be executed. Besides the technical details, other aspects should be censored in a standardized way, and after that, judges can draw the conclusion whether the integrity attribute is maintained. If they need to clarify some technical problems, they could decide whether it is necessary to ask technical experts for help. Therefore, the boundary of technique and law is clear, that is the data offered during the supervision and the standardized way of supervision. As there is no unified forensic model, the data given should not be fixed tightly. In the following, we call
202
Y. Wang
these give data as interface data. According to technical doctrine of equivalents, the interface data can’t incline to certain technique. And the standardized supervision is also principle, not specific for any technique or model(s).
3
Interface Data and Supervision
From above analysis, the core of the problem is how to supply interface data and how to design a standardized supervision way. In order not to be lost in detail, we first divide forensic process into five phases. They are preparation, evidence capture and collection, evidence analysis, evidence depository, and evidence submission. In some models, the stage division is different, but it is not the point. Here logic order is important. Once the logic order is right, a step belongs to previous phase or next phase is not critical. Through discuss the inner relationship between different steps and stages, this paper gives a logic order table, which declares that forensic progress has to comply certain programs in order to guarantee the integrity of whole chain of custody, and during the programs, interface data can be determined, which is the important information for supervision. 3.1
Interface Data
According to the five stages mentioned above, let’s discuss them one by one. 1. Preparation In this phase, the main task includes selecting qualified people or training people to satisfy computer forensic tasks, acquiring legal permission for investigation and evidence collection, planning how to execute forensics in detail, such as background information collection, environment analysis, and arrangement, etc. 2. Evidence Capture and Collection This stage is engaged in evidence fixing, capture and collection. The evidences include physical evidences and digital evidences. The former can use traditional evidences capture technique, and the latter need computer forensic technique to get stationary and dynamic electronic evidences. Then the collected evidences need to be fixed, and electronic evidences need to calculate digital signature to avoid original data is tampered. 3. Evidence Analysis It is based on former phase. Evidences captured on second phase are analyzed in this stage. The main tasks are finding out useful and hidden evidences from amount of physical materials and digital data. Through IT technology and other traditional evidence analyzing technique, extract and make up evidences. 4. Evidence Depository When evidences are collected in second phase, and up to they are submitted in court, during this period of time, the evidences should be put in a secure and good environment. It can guarantee that they will not be destroyed, tampered and become invalid. Evidences stored here are managed well.
Study on Supervision of Integrity of Chain of Custody in Computer Forensics
203
5. Evidence Submission In this phase, evidences collected and analyzed from above phase will be demonstrated and cross examined in court. Besides necessary reports written on evidences analysis phase, evidences should be submitted follow certain format required by law. When it comes to electronic evidences, the data which guarantee the integrity of chain of custody are also need to submit. From above analysis, the basic data generated from each phase are clear, and demonstrated in table one. Table 1. Interface data
Phase Num. Preparation
1. 2. 3.
Evidence Capture Collection
and
Interface data Certificate for proofing person who does forensic tasks is qualified. Legal permission for investigation and evidence collection. Other data if needed by special requirements.
Comments: Except emergency formulated by law that could obtain legal permission after evidence capture and collection, other cases are not permitted. 1. Investigation and captured evidences are within the legal permission. 2. Traditional evidences capturer and collection follow current law’s regulation. They should supply spot records, notes, take photos, and sign signatures etc. 3. For each of electronic evidence, it should calculate digital signature so as to guarantee the originality and integrity. 4. For dynamic data capture, if condition permitted, it should take video to record the whole collection process. Or 2 or more people should on the spot, and record the whole procedure. Comments: In this phase, if during executing tasks, accident happens, such as finding out unexpected evidences but without legal permission, criminals take extreme actions to destroy or damage evidences, and other unpredictable things, forensic officers could take measures agilely according to current law.
Evidence Analysis
1. 2.
3.
Traditional evidence analysis follows current law. Electronic evidence analysis should be taken by qualified organizations, and they should not be delegated by personal people. During electronic evidence analysis, if condition permit, examination and analysis should be under monitor. If there is no video, there should be a complete report on how examination and analysis are going on, 2 or more people should sign their signature. The report should meet the format requirements needed by law.
204
Y. Wang Table 1. (continued)
Evidence Depository
1. 2.
Evidence Submission
1.
2.
The depository should have proper environment to store electronic evidences. During the storage time, there should have complete record for in and out, and the state of electronic evidence for each time. Since electronic evidence cannot be perceived directly from the storage medium, in order to make it clear and easy to understand, necessity transformation should be taken. Interface data generated on above phases relevant to proof the integrity of electronic evidences should be demonstrated in court.
Table one gives an overview of the framework of the interface data, if refine them further, there will be a lot of tables and documents need to standardize and define. This paper doesn’t intend to regular every rule in every place, but suggests a boundary between law and computer technology. Once the boundary is clear, two sides can devote them to their work. The details and imperfect field can be remedy gradually. 3.2
Supervision
After realizing whole forensic procedure, judges can make up their mind based on fundamental rules, and don’t need sink into technique details. According to the logic order in forensic process, judges are mainly concerned on following aspects. 1. Collected evidences should be within legal permission. Through check the range of legal permission and its valid date, this one can be determined. Investigating the method of obtaining evidences to make sure evidences are legal. For example, judges can check out whether the forensic officers have certificates to proof they are qualified for computer forensic tasks. Before investigation and evidence collection, whether they have applied legal permission or there is any emergency exceptions. 2. Evidences collected on spot should have complete formality. Traditional evidence collecting has formed a set of formal programs and regulations. As for electronic evidence, the program and regulation are not perfect, some fields are still blank. During the transition, if it refers technique problems, judges can ask technique experts for help. If it refers legal questions, judges have to follow current law. The difficulty is when current law doesn’t formulate the solution, what can judges do? Our suggestion is creation. If the situation is never meet before, then it is mainly based on judges’ experience and their comprehensive quality, with the help of technique experts, they give a new solution. If this case handles well, the solution can be the reference for other cases. And later, it is a good reference material for making new legislation.
Study on Supervision of Integrity of Chain of Custody in Computer Forensics
205
3. Report from evidence analysis should be standardized and regular. In this phase, tasks are mainly technical. Qualified organizations are delegated to do the evidence analysis. The interface data in this stage are often report. The person who writes the report should have certificate and be authorized, he or she knows the obligation when issued reports to court. Constrains and supervision are mainly on organization audit and assessor audit. Judges are concerned on whether the organization and assessor follow the regulations. 4. Evidence depository should have complete supervision and management records. Evidence depository runs through the whole forensic procedure. If there is a link loose, or there is a time period is blank, there is a possibility the evidences lose their integrity. Judges should check the records carefully to make sure that the evidences are not damaged or tampered. If there is technique questions, judges can ask technique experts for help.
Fig. 1. Border of Technique and Legislation
5. Evidence submission should link above phase and factors together to obtain a chain of custody. In this phase, valid evidences are displayed in court. Besides the evidences themselves, the chain of custody maintains integrity is also very important. Therefore, two aspects
206
Y. Wang
are concerned in this stage, evidences and proof of integrity of evidences. Lawyers have the duty to arrange these evidences and their relevant proof materials, and let judges to determine the result. Let’s summarize the supervision procedure briefly: first legality examination, next normative examination, then standardization examination, finally integrity overview and check. Figure 1 displays the relationship between technique and legislation, which indicates that the cross field locates on interface data. If two sides define interface data clearly and can operate easily, the problem will be almost solved.
4
Conclusions
Nowadays more and more cases referring to electronic evidences appear. The contradiction between high incidences and inefficient handling gives huge pressure to the society. Both lawful professionals and technique experts are working together to face such challenges. This paper based on previous studies, gives some suggestions on how to reduce the burden of judges’ task to determine the integrity of chain of custody to improve the speed of case handling.
References 1. Kruse, W.G., Heiser, J.G.: Computer Forensics: Incident Response Essentials, 1st edn. Pearson Educaiton, London (2003) 2. Baryamureeba, V., Tushabe, F.: The Enhanced Distal Investigation Process Model, http://www.dfrws.org/bios/dayl/Tushabe_EIDIP.pdf 3. Mason, S.: Electronic evidence disclosure, discovery & admissibility, LexisNexis Butterworths (2007) 4. Qi, M., Wang, Y., Xu, R.: Fighting cybercrime: legislation in China. Int. J. Electronic Security and Digital Forensics 2(2), 219–227 (2009) 5. Robbins, J.: An Explanation of Computer Forensics, http://computerforensics.net/forensics.htm 6. See Amendments To Uniform Commercial Code Article 2, by The American Law Institute and the National Conference Of Commissioners On Uniform State Laws (February 19, 2004) 7. Farmer, D., Venema, W.: Computer Forensics Analysis Class Handouts (1999), http://www.fish.com/forensics/class.html 8. Mandia, K., Prosise, C.: Incident Response. Osborne/McGraw-Hill (2001) 9. Robbins J. An Explanation of Computer Forensics [EB/OL], http://computerforensics.net/forensics.htm 10. Gahtan, A.M.: Electronic Evidence, pp. 157–167. The Thomson Professional Publishing (1999)
On the Feasibility of Carrying Out Live Real-Time Forensics for Modern Intelligent Vehicles Saif Al-Kuwari1,2 and Stephen D. Wolthusen1,3 1
Information Security Group, Department of Mathematics, Royal Holloway, University of London, Egham Hill, Egham TW20 0EX, United Kingdom 2 Information Technology Center, Department of Information and Research, Ministry of Foreign Affairs, P.O. Box 22711, Doha, Qatar 3 Norwegian Information Security Laboratory, Gjøvik University College, P.O. Box 191, N-2802 Gjøvik, Norway
Summary. Modern vehicular systems exhibit a number of networked electronic components ranging from sensors and actuators to dedicated vehicular subsystems. These components/systems, and the fact that they are interconnected, raise questions as to whether they are suitable for digital forensic investigations. We found that this is indeed the case especially when the data produced by such components are properly obtained and fused (such as fusing location with audio/video data). In this paper we therefore investigate the relevant advanced automotive electronic components and their respective network configurations and functions with particular emphasis on the suitability for live (real time) forensic investigations and surveillance based on augmented software and/or hardware configurations related to passenger behaviour analysis. To this end, we describe subsystems from which sensor data can be obtained directly or with suitable modifications; we also discuss different automotive network and bus structures, and then proceed by describing several scenarios for the application of such behavioural analysis. Keywords: Live Vehicular Forensics, Surveillance, Crime Investigation.
1
Introduction
Although high-speed local area networks connecting the various vehicular subsystems have been used, e.g. in the U.S. M1A2 main battle tank1 , complex wiring harnesses is increasingly being replaced by bus systems in smaller vehicles. This means that functions that had previously been controlled by mechanical/hydraulic components are now electronic-based, giving raise to the X-byWire technology [1], potentially turning the vehicle into a collection of embedded interconnected Electronic Control Unites (ECU). However, much of the recent increase in complexity has arisen from comfort, driving aid, communication, and 1
Personal communication, Col. J. James (USA, retd.).
X. Lai et al. (Eds.): E-Forensics 2010, LNICST 56, pp. 207–223, 2011. c Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2011
208
S. Al-Kuwari and S.D. Wolthusen
entertainment systems. We argue that these systems provide a powerful but asyet under-utilised resource for criminal and intelligence investigations. Although dedicated surveillance devices can be installed at the in-vehicle system, these are neither convenient nor economical. On the other hand, the mechanisms proposed here can be implemented purely in software and suitably obfuscated. Moreover, some advanced automotive sensors may also provide redundant measurements that are not being fully used by the corresponding function, such as visionbased sensors used for object detection where images/video from the sensor’s measurements are inspected to detect the presence of objects or obstacles. With appropriate modifications to the vehicular electronic systems, this (redundant) sensor information can then be used in forensics investigation. However, the fact that components are interconnected by bus systems implies that only central nodes, such as navigation and entertainment systems, will need to be modified and can themselves collect sensor data either passively or acquire data as needed. We also note the need for awareness of such manipulations in counter-forensic activity, particularly as external vehicular network connectivity is becoming more prevalent, increasing the risk, e.g., of industrial espionage. The paper is structured as follows: in section 2 related works are presented. We then provide a brief overview of modern automotive architecture, communication and functions (in sections 3 - 7), followed by a thorough investigation on the feasibility of carrying out vehicular live forensics (in sections 8 - 9). The paper finally concludes in section 10 with conclusions and final remarks.
2
Related Work
Most vehicular forensic procedures today mainly concentrate on crash/accident investigations and scene reconstruction. Traditionally, this used to be carried out by physically examining the vehicular modules, but since these are increasingly being transformed into electronic systems, digital examination is now required, too. Moreover, most modern vehicles are equipped with an Event Data Recorder (EDR) [2,3] module or colloquially black box. Data collected by the EDR units include pre-crash information such as pre-crash system state and acceleration, driver input, and post-crash warnings. This information is clearly suitable for accident investigation, but not for criminal ones as ongoing surveillance requires data other than the operational state of the vehicle and selective longer-term retention. Nilsson and Larson have investigated the feasibility of combining both physical and digital vehicular evidence [4], showing that such approach improves typical crime investigations. They also carried out a series of related studies, mainly concerned with the security of the in-vehicle networks and how to detect attacks against them [5]. However, the focus of our work is somewhat different in that we take a more active role in our forensic examination and try to observe, in real-time, the behaviours of drivers and passengers, taking advantage of the recently introduced advanced electronic components and functions in typical modern higher-end vehicles.
Automotive Live Forensics
3
209
Intelligent Vehicles Technology
The term Intelligent vehicle generally comprises the ability of the vehicle to sense the surrounding environment and provide auxiliary information in which the driver or the vehicular control systems can make judgments and take suitable actions. These technologies mainly involve passenger safety, comfort and convenience. Most modern vehicles implementing telematics (e.g. navigation) and driver assistance functions (e.g. parking assist), can be considered intelligent in this sense. Evidently, these functions are very rapidly spreading while becoming common even in moderately priced vehicles. This has highly motivated this research since, for the best of our knowledge, no previous work has been undertaken to exclusively investigate these new sources of information vehicles can offer for digital forensics examiners. However, before discussing such applications and functions, we first briefly review basic general design and functional principles of automotive electronic systems.
4
Automotive Functional Domains
When electronic control systems were first used in the 1970’s vehicles, individual functions were typically associated with separate ECU. Although this unified ECU-function association was feasible for basic vehicle operation (with minor economical implications), it quickly became apparent that networking the ECUs was required as the complexity of systems increased and information had to be exchanged among units. However, different parts of the vehicle have different requirements in terms of performance, transmission and bandwidth, and also have different regulatory and safety requirements. Vehicular electronic systems may hence be broadly divided into several functional domains [6]: (1) Power train domain: also called drivetrain, controls most engine functions, (2) Chassis domain: controls suspension, steering and braking, (3) Body domain: also called interior domain, controls basic comfort functions like the dashboard, lights, doors and windows; these applications are usually called multiplexed applications, (4) Telematics & multimedia domain: controls auxiliary functions such as GPS navigation, hands-free telephony, and video-based functions, (5) Safety domain: controls functions that improve passenger safety such as belt pretensioners and tyre pressure monitoring. Communication in the power train, chassis and safety domains is required to be in real-time for obvious reasons (operation and safety), while communication in the telematics & multimedia needs to provide sufficiently high data rates capable of transmitting bulk multimedia data. Communication in the body domain, however, does not require high bandwidth and usually involves limited amounts of data. In this paper, we are interested in functions that can provide a forensically useful data about driver and passenger behaviour; such data is mostly generated by comfort and convenience functions within the telematics & multimedia domain, though some functions in the body and safety domains are also of interest, as will be discussed later.
210
5
S. Al-Kuwari and S.D. Wolthusen
Automotive Networks and Bus Systems
Early interconnection requirements between ECUs were initially addressed by point-to-point links. This approach, however, increased the inter-ECU links exponentially as the number of ECUs increased, which introduced many reliability, complexity, and economical implications. Consequently, automotive networks emerged to reduce the number of connections while improving overall reliability and efficiency. Generally, automotive networks are either event-triggered (where data is transmitted only when a particular event occurs) or time-triggered (where data is periodically transmitted in time slots) [7]. In an attempt to formalise the distinction between these networks, the society of Automotive Engineers (SAE) classified automotive networks into four main classes: (1) Class A: for functions requiring low data rate (up to 10kbps), such as lights, doors and windows. An example of class A is LIN network. (2) Class B: mostly for data exchange between ECUs and has data rate of up to 125 kbps. An example of class B is Low speed CAN network. (3) Class C: for functions demanding high data rate up to 1Mbps (most functions in the Power train and Chassis domains). An example of class C is High speed CAN network. (4) Class D: for functions requiring data rate of more than 1Mbps, such as most functions in the Telematics & Multimedia domain, and some functions in the safety domain. Example of class D are FlexRay and MOST networks. We note that a typical vehicle today consists of a number of different interconnected networks, thus any information generated by any ECU can be received at any other ECU [8]. However, since ECUs are classified into functional domains and each domain may deploy a different network type, gateways are used for inter-domain communication. In the following subsections we provide a brief overview of an example network from each class; table 1 presents a summary comparison between these networks [9]. LIN. Local Interconnect Network (LIN) was founded in 1998 by the LIN Consortium [10] as an economical alternative for CAN bus system and is mainly targeted for non-critical functions in the body domain that usually exchange low-volume data and thus does not require high data rates; such data is also not required to be delivered in real-time. LIN is based on master-slave architecture and is a time-driven network. Using an unshielded copper single wire, LIN bus can extend up to 40m while connecting up to 16 nodes. Typical LIN applications include: rain sensor, sun roof, door locks and heating controls [11]. CAN. Controller Area Network (CAN) [12] is an event-driven automotive bus system developed by Bosch and released in 1986 (latest version is CAN 2.0 released in 1991). CAN is the most widely used automotive bus system, usually connecting ECUs of the body, power train and chassis domains, as well as interdomain connections. There are two types of CAN: (1) Low-speed CAN: standardized in ISO11519-2 [13], supports data rate of up to 125kbit/s and mostly operates in the body domain for applications requiring slightly higher transmission rate than LIN; example applications include: mirror adjustment, seat
Automotive Live Forensics
211
Table 1. Comparison between the most popular automotive networks LIN Class A Body
Class Domain
Standard
Low-CAN Class B Body, Power Train, chassis
High-CAN Class C Power Train, chassis
LIN Consor- ISO 11519-2 ISO 1198 tium Data 19.2 kbit/s 125 kbit/s 1 Mbit/s
Max. rate Topology Bus Max. node no. 16 Applications
Bus 24
windows, lights, doors wipers Control Mech- Time-driven Eventanism driven
FlexRay Class C & D Power train, Chassis, Telematics & Mult., Safety FlexRay Consortium 20 Mbit/s
MOST Class D Telematics and Multimedia MOST Consortium 22.5 Mbit/s
Bus 10
Star (mostly) Ring 22 per 64 bus/star Engine, airbag CD/DVD Transmission player Event-driven Time/Event- Time/Eventdriven driven
adjustment, and air-conditioning. (2) High-speed CAN: standardized in ISO11898 [14], supports data rate of up to 1 Mbit/s and mostly operates in the power train and chassis domains for applications requiring real-time transmission; example applications include: engine and transmission management. FlexRay. Founded by the FlexRay consortium in 2000, FlexRay [15] was intended as an enhanced alternative to CAN. FlexRay was originally targeted for X-by-Wire systems which require higher transmission rates than what CAN typically supports. Unlike CAN, FlexRay is a time-triggered network (although event-triggering is supported) operating on TDMA (Time Division Multiple Access) basis, and is mainly used by applications in the power train and safety domains, while some applications in the body domain are also supported [9]. FlexRay is equipped with two transmission channels, each having a capacity of up to 10 Mbit/s and can transmit data in parallel, achieving an overall data rate of up to 20 Mbit/s. FlexRay supports point-to-point, bus, star and hybrid network topologies. MOST. Recent years have witnessed a proliferation of in-vehicle multimediabased applications. These applications usually require high bandwidth to support real-time delivery of the large multimedia data. As a result, the Media Oriented Systems Transport (MOST) bus system [16] was developed in 1998 and is today the most dominant automotive multimedia bus system. Unlike CAN (which only defines the physical and data link layers), MOST comprises all the OSI reference model layers and even provides various standard application interfaces for improved interoperability. MOST can connect up to 64 nodes in a ring topology with a maximum bandwidth of 22.5 Mbit/s using an optical bus (though recent
212
S. Al-Kuwari and S.D. Wolthusen
MOST revisions support even higher data rate). Data in MOST network is sent in 1,024 bits frames, which suits the demanding multimedia functions. MOST supports both time-driven and event-driven paradigms. Applications of MOST including audio-based (e.g. radio), video-based (e.g. DVD), and telematics.
6
Automotive Sensors
A typical vehicle integrates at least several hundred sensors (and actuators, although this is not a concern for the present paper), with increasing number of sensors even in economical vehicles to provide new safety, comfort and convenience functions. Typically, ECUs are built from microcontrollers which control actuators based on sensor inputs. In this paper, we are not concerned with technical sensor technology issues such as how sensor information is measured and the accuracy or reliability of measurements, but rather in either the raw sensor information or the output of the ECU microcontrollers based on information from those sensors; for a comprehensive discussion about automotive sensors, the reader is referred to, e.g., [17].
7
Advanced Automotive Applications
Currently, typical modern vehicles contain around 30–70 Electronic Control Units (ECU) [18], most of which are part of the power train and the chassis domains and thus usually connected by CAN buses. However, while different vehicles maintain approximately similar number of these essential ECUs, the number of ECUs in other domains (especially the telematics & multimedia and safety domains) significantly differ for different vehicle models and they are mostly what constitute the intelligent vehicle technology. In the following we discuss examples of functions integrated in most modern, intelligent vehicles. Most of these functions are connected via MOST or FlexRay networks with few exceptions for functions that may be implemented in the body domain (and hence are typically connected by LIN or CAN links). Adaptive Cruise Control. One of the fundamental intelligent vehicle functions is Adaptive Cruise Control (ACC). Unlike static cruise, which fixes the traveling speed of the vehicle, in ACC, the vehicle senses its surrounding environment and adjusts its speed appropriately; advanced ACC systems can also access the navigation system, identify the current location and adhere to the speed limit of the corresponding roadway and respond to road conditions. ACC can be based on Radar (radio waves measurements), LADAR (laser measurements), or computer vision (image/video analysis) [19]. In Radar and LADAR based ACC, radio waves and laser beams, respectively, are emitted to measure the range (the distance between the hosting vehicle and the vehicle ahead) and the range rate (how fast the vehicle ahead is moving), and adapt the traveling speed accordingly. In vision-based ACC, a camera mounted behind the windshield or the front bumper captures video images of the front scene in which
Automotive Live Forensics
213
computer vision algorithms are applied on to estimate the range and range rate [20]. Note that there are a few variants of ACC, e.g. high-speed ACC, low-speed ACC etc. While all of these variants are based on the same basic principles as outlined above, some of them take more active roles, such as automatic steering. Lane Keeping Assist. Lane Keeping Assist (LKA) is an application of Lane Departure Warning Systems (LDWS) and Road Departure Warning Systems (RDWS). Motivated by safety reasons, LKA is now a key function in intelligent vehicles. The most widely used approach of implementing LKA is by processing camera images for the road surface and identifying lane edges (usually represented by white dashed lines), then either warn the driver or automatically adjust the steering away from the lane edge; similar process is applied when departing from roads. Other approaches to implement LKA include roadway magnetic markers detection, and using digital GPS maps [19], but these are less commonly used since not all roadways are equipped with magnetic markers (which is extremely expensive), while GPS lane tracking does not always produce acceptably accurate measures and may also be based on inaccurate maps. Parking Assist. Parking assist systems are rapidly becoming an expected feature. Implementations range from basic ultrasonic sensor alerts to an automated steering for parallel parking as introduced in Toyota’s Intelligent Parking Assist (IPS) system in 2003. Usually, these systems have an integrated camera mounted at the rear bumper of the vehicle to provide a wide angle rear-view for the driver and can be accompanied with visual or audible manoeuvre instructions to guide the vehicle into parking spaces. Blind Spot Monitoring. Between the driver’s side view and the driver’s rearview, there is an angle of restricted vision usually called the blind spot. For obvious safety reasons, when changing the lane, vehicles passing through the blind spot should be detected, which is accomplished by the Blind Spot Monitoring (BSM) systems. Such systems detect vehicles in the blind spot by Radar, LADAR or Ultrasonic emitters, with vision-based approaches (i.e. camera image processing) also becoming increasingly common. Most of these systems initiate warnings to the driver once a vehicle is detected in the blind spot, but future models may take a more active role to prevent collisions by automatically control the steering. Note that blind spot monitoring may also refer to systems that implement an adjustable side mirrors to reveal the blind spot to the driver, e.g. [21], but here we refer to the more advanced (and convenient) RF- and/or vision-based systems. Head-up Display and Night Vision. Head-Up Display (HUD) technology was originally developed for aircrafts. HUD projects an image on a vehicle’s front glass (in aviation applications this was originally a separate translucent pane), which will appear for the driver to be at the tip of the bonnet, and can be used to display the various information such as dashboard information or even navigation instructions. Beginning in the mid-1990s, General Motors (GM) used
214
S. Al-Kuwari and S.D. Wolthusen
HUD technology to enhance visibility at night by adding night vision functions to the HUD. In this technology, the front bumper of the vehicle is equipped with an infrared camera which provides enhanced night vision images of the road ahead and projects it for the driver. Infrared cameras detect objects by measuring the heat emitted from other vehicles, humans or animals. Recent trends use NearInfrared (NIR) cameras instead which are also able to detect cold objects like trees and road signs [19]. However, the range of NIR is shorter and extends for only around 100m compared to around 500m in the case of the conventional (thermal) infrared cameras. Telematics and Multimedia. Originally motivated by location-based services, telematics is now a more general term and comprises all wireless communication to and from the vehicle to exchange various types of information, including navigation, traffic warnings, vehicle-to-vehicle communication and, recently, mobile Internet and mobile TV. Telematics services have seamlessly found their way to intelligent vehicles becoming totally indispensable from them. However, it is not clear whether multimedia-based services should be classified under telematics and indeed there is a fine line between the two; for brevity, and to prevent confusion, we here merge them under a single class and assume that they use similar bus technology (typically MOST or FlexRay). Multimedia-based services involve the transmission of large (and sometimes real-time) data, which require high data rates; examples of multimedia applications include hands-free phones, CD/DVD players, radio and voice recognition. Navigation. Automotive navigation systems are among the most essential telematics applications in modern vehicles and can be either integrated or standalone. Off-the-shelf (aftermarket) standalone navigation systems operate independently from other in-vehicle automotive components; this type of portable systems is largely irrelevant for our discussion since it can be easily removed or tampered with, although some integration with other components via, e.g., Bluetooth may occur. Built-in navigation systems, on the other hand, are often tightly integrated with other in-vehicle ECUs. In this case, navigation is not solely dependant on GPS technology, instead it takes advantage of its in-vehicle integration by receiving inputs from other automotive sensors; this is especially advantageous as GPS signals are not always available. Built-in navigation systems use the Vehicle Speed Sensor (VSS) or tachometer sensor to calculate the vehicle’s speed, the yaw rate sensor to detect changes in direction, and GPS to determine the absolute direction movement of the vehicle. Integration also provides further benefits in applications such as Adaptive Light Control, automatically adjusting headlight settings to, e.g., anticipate turns, or simply by highlighting points of interest such as petrol stations in low-fuel situations. Occupant Sensors. For safety reasons, it is important to detect the presence of occupants inside the vehicle. This is usually accomplished by mounting sensors under the seats to detect occupancy by measuring the pressure of an occupant’s weight against the seat [22]. More advanced systems can even estimate the size
Automotive Live Forensics
215
of the occupant and consequently adjust the inflation force of the airbag in case of an accident since inflating the airbag with sufficiently high pressure can sometimes lead to severe injuries or even fatalities for children. Occupant detection can also be used for heating and seat belt alerts. However, rear seats may not always be equipped with such sensors, so another type of occupancy sensing primarily intended for security based on motion detectors is usually used [23]. These sensors can be based on infrared, ultrasonic, microwave, or radar and will detect any movements within the interior of the entire vehicle.
8
Live Forensics
Digital forensic examinations have rapidly become a routine procedure of crime and crime scene investigations even where the alleged criminal acts were not themselves technology-based. Although vehicular forensic procedures are slightly less mature than conventional digital forensics in personal computers and mobile (smart) phones, for example, we argue that the rich set of sensors and information obtainable from vehicles, as outlined above, can provide important evidence. Forensic examiners, therefore, are now starting to realise the importance of vehicular-based forensics and evidence. Moreover, as the same techniques can also be used, e.g., in (industrial) espionage, awareness of forensic techniques and counter-forensics in this domain are also becoming relevant. Typical forensic examinations are carried out either offline or online (live). Offline forensics involves examining the vehicle after an event while online forensics observe and report on the behaviour of a target in real-time. Note that this taxonomy may not agree with the literature where sometimes both offline and online forensics are assumed to take place post hoc and differ only by whether the vehicle is turned on or off, respectively, at the time of examination. Live forensics in this context is slightly different from surveillance as the latter may not always refer to exclusively observing criminals/suspects. When adopting an online forensic approach, live data can be collected actively or passively. In either case, the system has to be observed appropriately before initiating the data collection process. In active live forensics, we have partial control over the system and can trigger functions to be executed without occupant knowledge. In passive live forensics, on the other hand, data are collected passively by intercepting traffic on vehicular networks. The observation process can be either hardware or software-based as discussed in sections 8.1 and 8.2, respectively. In both cases, data is collected by entities called collectors; while passive forensics may be approached by both software and hardware-based solutions, active forensics may only be feasible in a software-based approach owing to the (usually) limited time available to prepare a target vehicle for the hardware-based one. As discussed in section 7, a typical intelligent vehicle integrates numerous functions usable for evidence collection and surveillance; this is a natural approach even for normal operation. For example, parking assist units are sometimes used by the automatic steel folding roof systems in convertibles to first
216
S. Al-Kuwari and S.D. Wolthusen
monitor the area behind the vehicle and assesses whether folding the roof is possible. Similarly, we can observe and collect the output of relevant functions and draw conclusions about the behaviour of the occupants while using such data as evidence. We generally classify the functions we are interested in as visionbased and RF-based functions, noting that some functions can use a complementary vision-RF approach, or have different modes supporting either, while other functions based on neither vision or RF measurement can still provide useful information as shown in section 9: (1) Vision-based functions: these are applications based on video streams (or still images) and employ computer vision algorithms – sometimes we are interested in the original video data rather than the processed results. Examples of these applications include: ACC, LKA, parking assist, blind spot monitoring, night vision, and some telematics applications. Vision-based applications are generally based on externally mounted cameras, which is especially useful to capture external criminal activities (e.g. exchanging/selling drugs), even allowing to capture evidence on associates of the target. Furthermore, newer telematics models may have built-in internal cameras (e.g. for video conferencing) that can capture a vehicle’s interior. (2) RF-based functions: similarly, these are applications based on wireless measurements such as ultrasonic, radar, LADAR, laser or Bluetooth. Unlike vision-based applications, here we are mostly interested in post-analysis of these measurements as raw RF measurements are typically not forensically meaningful. 8.1
Hardware-Based Live Forensics
The most straightforward solution for live forensics is to adopt a hardware-based data collection approach which involves installing special intercepting devices (collectors) around the vehicle to observe and collect the various types of data flowing through the vehicular networks. The collectors can be attached to ECU’s or other components and capture outbound and/or inbound traffic. This information may then be locally stored inside the collectors or in a central location such as an entertainment system for later retrieval if sufficient local storage is available, or otherwise, the collectors can be configured to establish a private connection to an external location (i.e. federated network) for constant data transmission. This private network can, e.g., be setup through GSM/UMTS in cooperation with the carrier. It is of utmost importance to carefully decide where to install these collectors, thus a good understanding of the data flow within the in-vehicle automotive system is required. Since different vehicle makes and even models have slightly different specifications, in this section we try to discuss the most attractive observation loci within the vehicle. As described above, vehicular systems contain several networks of different types that are interconnected by gateways, which can be considered the automotive equivalent of routers in conventional networks. Either a central gateway is used where all networks are connected to a single gateway (see figure 1(a)), or these networks are connected by several gateways (see figure 1(b)). In our live forensics examination, we are only interested in data
Automotive Live Forensics
217
generated by specific ECU’s (mostly those that are part of MOST or FlexRay networks which correspond to functions in the body, telematics and safety domains), thus only those gateways connecting such networks need to be observed. However, in some cases, observing the gateways only may not be sufficient because in some applications we may also be interested in the raw ECU sensor readings (such as camera video/images) which may be inaccessible from gateways. For example, in vision-based blind spot monitoring application, the information relevant to the driver is whether there is an obstacle at the left/right side of the vehicle, but we are not interested in this information, we are only interested in the video/image that the corresponding sensors capture to be used to detect the presence of an obstacle (i.e. we are interested in the ECU input, while only the output is what normally sent through the gateway). Thus, in such cases, we may need to observe individual ECU’s rather than gateways. Note, however, that observing gateways only may work for some applications where the input and the output are similar, such as parking assist where the parking camera transmits a live video stream to the driver. Dignostic LIN
MOST
Central Gatway
FlexRay
CAN
LIN
CAN
(a) Central gateway architecture Dignostic LIN G5 MOST
G1
G3
G2
LIN
G4
FlexRay CAN
CAN
(b) Distributed gateway architecture Fig. 1. Sample Automotive Network Architectures
8.2
Software-Based Live Forensics
Although by simply installing hardware collectors at particular ECU’s or gateways, we will be able to collect live forensic data, such an approach may be limited due to aspects: (1) Flexibility: Since installation and removal of the hardware collectors need to be carried out manually and physically, they are inflexible
218
S. Al-Kuwari and S.D. Wolthusen
in terms of reconfigurability and mobility; that is, once a devices is installed, it cannot be easily reconfigured or moved without physical intervention, which is not convenient or even (sometimes) possible. (2) Installation: The installation process of these devices will pose a serious challenge as locating and identifying the relevant ECU’s or gateways is often difficult especially when some functions use information from several ECU’s and sensors. Moreover, physical devices may be observable by an investigating target. (3) Inspection: the collectors will very likely collect large amount of possibly irrelevant data (such as channel management data); although this can be mitigated by using slightly more sophisticated collectors that filter observed traffic before interception, this introduces cost and efficiency implications. Software based solutions, on the other hand, seem to alleviate these problems. Traditionally, the in-vehicle software (firmware) is updated manually via the vehicle’s on-board diagnostic port. However, with the introduction of wireless communication, most manufacturers are now updating the firmware wirelessly, which, in turn, introduced several security concerns. Indeed, a recent work [24] showed that automotive networks are still lacking sufficient security measures. Thus, in our scenario, and following a particular set of legal procedures (see section 10), we can install the collectors as firmware updates with relative ease. These updates are then injected into the in-vehicle networks wirelessly and routed to the appropriate ECU. Although software-based live forensics may be flexible and efficient, it poses a whole new class of compatibility and potentially safety issues. Unfortunately, most of the current software-based automotive solutions are proprietary and hardware dependant; thus, it may appear that unless we have knowledge of the automotive software and hardware architecture we are targeting, we will not be able to develop a software application to carry out our live forensics process, and even if we have such knowledge, we will be able to develop such software that will only work in the system it was developed for (lack of interoperability). However, these interoperability limitations (which also affect other automotive applications) have recently been realised and drove the leading automotive manufacturers and suppliers to establish an alliance for developing a standardized software architecture, named AUTOSAR. AUTOSAR. AUTomotive Open System ARchitecture (AUTOSAR) is a newly established initiative by a number of leading automotive manufacturers and suppliers that jointly cooperated to develop a standardized automotive software architecture under the principle “cooperate on the standard, compete on the implementation”. The first vehicle containing AUTOSAR components was launched in 2008 while a fully AUTOSAR supported vehicle is expected in 2010. AUTOSAR aims to seamlessly separate applications from infrastructure so automotive applications developers do not have to be concerned about hardware peculiarities, which will greatly mitigate the complexity of integrating new and emerging automotive technologies. AUTOSAR covers all vehicle domains and functions from engine and transmission to wipers and lights. The main design principle of AUTOSAR is to abstract the automotive software development
Automotive Live Forensics
219
process and adopt a component-based model where applications are composed of software components that are all connected using a Virtual Functional Bus (VFB), which handles all communication requirements. AUTOSAR transforms ECUs into a layered architecture on top of the actual ECU hardware, as shown in figure 2 (a simplified view of the AUTOSAR layers). Below are brief descriptions of each layer:
ASW_1
ASW_2
ASW_3
Application Layer
ASW_n
AUTOSAR Runtime Environment (RTE)
Basic Software Layer
ECU-Hardware
Fig. 2. AUTOSAR layered architecture
(1) AUTOSAR application layer: composed of a number of AUTOSAR software components (ASW). These components are not standardized (although their interfaces with the RTE are) and their implementation depends on the application functions. (2) AUTOSAR Runtime Environment: provides communication means to exchange information between the software components of the same ECU (intra-ECU) and with software components of other ECUs (inter-ECU). (3) Basic software layer: provides services to the AUTOSAR software components and contains both ECU independent (e.g. communication/network management) and ECU dependent (e.g. ECU abstraction) components. AUTOSAR standardises 63 basic software modules [25]. All software components are connected through the Virtual Functional Bus (VFB) which is implemented by the RTE at each ECU (VFB can be thought of as the concatenation of all RTE’s). This paradigm potentially hides the underlying hardware from the application view, which, clearly, has advantageous consequences when collecting evidence for forensic examination. Thus an AUTOSARbased collection tool will be compatible with all AUTOSAR supported vehicles. Furthermore, since the VFB allows seamless collection via different software components at different ECUs, a single live forensic software will be able to communicate with different software components and retrieve data from other applications and functions without having to be concerned with communication and other ECU-dependant issues.
220
S. Al-Kuwari and S.D. Wolthusen
Active Software-Based Live forensics. As discussed above, active live forensics appears feasible mainly when collectors are based on software, and is further facilitated by architectures such as AUTOSAR. An example of a typical application where active live forensics can be carried out is the vehicle’s built-in handsfree telephony system. Although features and functions offered by the hands-free system may be different from a particular vehicle model to another, most recent models of hands-free system will synchronise some information with the phone it is paired with, including address books (contacts list) and call history. One benefit of this synchronisation process is allowing the driver to interact with the phone through the vehicle entertainment and communication system instead of the handset itself. This functionality is particularly useful for our live forensic investigation since it means that once the phone is paired with the hands-free system, the hands-free system can control it. Thus, an obvious active live forensic scenario is for the collector to initiate a phone call (without the knowledge of the driver) to a particular party (e.g. law enforcement) and carry out a live audiobased surveillance, the police can then cooperate with the carrier to suppress the relevant call charges. This can also occur in a side-band without affecting the ability to conduct further calls or in bursts. We also note that the ability to scan for Bluetooth (or other RF such as 802.11) devices within a vehicle provides further potential to establish circumstantial evidence of the presence of individuals in a vehicle’s proximity, even if, e.g., a passenger’s mobile phone is never paired with the vehicle’s communication system, allowing further tracking as reported in previous research [26].
9
Sensor Fusion
Forensic investigations can be significantly improved by fusing information from different sources (sensors). Many functions already implement sensor fusion as part of their normal operation, where two sensor measurements are fused, e.g. park assist uses ultrasonic and camera sensors. Similarly, while carrying out live forensic, we can fuse sensor data from even different functions that are not usually fused, such as video streams from blind spot monitoring with GPS measurements, where the location of the vehicle can be supported by visual images. Generally, however, data fusion is a post hoc process since it usually requires more resources than what the collectors are capable of. Below we discuss two applications of data fusion. Visual Observation. Fusing video streams from different applications may result in a full view of the vehicle’s surrounding environment. This is possible as the front view is captured by ACC, the side views by blind spot monitoring, and back view by parking assist cameras, while some vehicles provide further surround views. Note, however, that some of these cameras are only activated when the corresponding function is activated (e.g. the parking assist camera is only activated when the driver is trying to park); but obviously, active forensics can surmount this problem as it can actively control (activate/deactivate) the relevant functions.
Automotive Live Forensics
221
Occupant Detection. As discussed in section 7, occupancy can be detected through existing sensors. However, further identifying the individuals on-board is even more desirable than just detecting their presence. While the approach of scanning for Bluetooth MAC addresses mentioned in section 8.2 may possibly identify the occupants passively, audio and, potentially, video recordings can provide further evidence even about individuals approaching or leaving the vehicle. Furthermore, In an active live forensic scenario, both the hands-free system and the occupant detection sensors can be associated such that if the occupant sensor detected a new occupant, the hands-free system automatically (and without the knowledge of the driver) initiates a pairing search to detect all MAC addresses in range. Note that hands-free search may detect Bluetooth devices of nearby vehicles or pedestrians and must hence be fused with occupant detection sensors information and repeated regularly, augmented by cameras where possible.
10
Discussion and Conclusion
The mechanisms (both active and passive) described in this paper have significant privacy and legal implications, yet while presenting this work we assume that such procedures are undertaken by law enforcement officials following appropriate procedures. We note that in some jurisdictions, it may not be necessary to obtain warrants, which is of particular relevance when persons other than the driver or vehicle owner are observed; this is, e.g., the case under the United Kingdom’s Regulation of Investigatory Powers Act (2000). In this paper, we presented a general overview of modern automotive systems and further discussed the various advanced functions resulting in what is commonly known today as an Intelligent Vehicle. We showed that functions available in modern automotive systems can significantly improve our live (real-time) digital forensic investigations. Most driver/passenger comfort and convenience functions such as telematics, parking assist and Adoptive Cruise Control (ACC) use multimedia sensors capturing the surrounding scene, which, if properly intercepted, can provide substantial evidence. Similarly, other sensors, like seat occupant sensors and hands-free phone systems, can be used for driver/passenger identification. Future work will concentrate on characterising and fusing sensor data sources, while a natural extension to this work is to look at the feasibility of offline forensics (post hoc extraction of data) and investigate what kind of non-volatile data (other than Event Data Record (EDR) data, which is not always interesting or relevant for forensic investigations) that the vehicular system preserves and stores in-memory. Our expectation is that most of such data is not forensically relevant to investigating behavioural analysis of individuals in a court of law. However, we note that some functions may be capable of storing useful information as part of their normal operation, possibly with user interaction. For example, most navigation systems maintain historical records for previous destinations entered by the user in addition to a favourite locations list and a home location bookmark configured by the user; these records and configurations are
222
S. Al-Kuwari and S.D. Wolthusen
likely to be non-volatile and can be easily retrieved at later times. Moreover, these systems may also contain information on intended movement, which is of particular interest if it can be communicated in real-time to investigators and enables anticipating target movements. Finally, future work will investigate counter-forensics mechanisms, which may also be relevant to investigate that vehicles such as hire cars have not been tampered with in anticipation of industrial espionage operations.
References 1. Wilwert, C., Navet, N., Song, Y., Simonot-Lion, F.: Design of Automotive X-byWire Systems. In: Zurawski, R. (ed.) The Industrial Communication Technology Handbook. CRC Press, Boca Raton (2005) 2. Singleton, N., Daily, J., Manes, G.: Automobile Event Data Recorder Forensics. In: Shenoi, S. (ed.) Advances in Digital Foreniscs IV. IFIP, vol. 285, pp. 261–272. Springer, Heidelberg (2008) 3. Daily, J., Singleton, N., Downing, B., Manes, G.: Light Vehicle Event Data Recorder Forensics. In: Advances in Computer and Information Sciences and Engineering, pp. 172–177 (2008) 4. Nilsson, D., Larson, U.: Combining Physical and Digital Evidence in Vehicle Environments. In: 3rd International Workshop on Systematic Approaches to Digital Forensic Engineering, pp. 10–14 (2008) 5. Nilsson, D., Larson, U.: Conducting Forensic Investigations of Cyber Attacks on Automobile in-Vehicle Network. In: e-Foreniscs 2008 (2008) 6. Navet, N., Simonot-Lion, F.: Review of Embedded Automotive Protocols. In: Automotive Embedded Systems Handbook. CRC Press, Boca Raton (2008) 7. Shaheen, S., Heffernan, D., Leen, G.: A Comparison of Emerging Time-Triggered Protocols for Automotive X-by-Wire Control Networks. Journal of Automobile Engineering 217(2), 12–22 (2002) 8. Leen, C., Heffernan, D., Dunne, A.: Digital Networks in the Automotive Vehicle. Computing and Control Journal 10(6), 257–266 (1999) 9. Dietsche, K.H. (ed.): Automotive Networking. Robert Bosch GmbH (2007) 10. LIN Consortium: LIN Specification Package, revision 2.1 (2006), http://www.lin-subbus.org 11. Schmid, M.: Automotive Bus Systems. Atmel Applications Journal 6, 29–32 (2006) 12. Robert Bosch GmbH: CAN Specification, Version 2.0 (1991) 13. International Standard Organization: Road Vehicles - Low Speed Serial Data Communication - Part 2: Low Speed Controller Area Network, ISO 11519-2 (1994) 14. International Standard Organization: Road Vehicles - Interchange of Digital Informaiton - Controller Aera Nework for High-speed Communication, ISO 11898 (1994) 15. FlexRay Consortium.: FlexRay Communications Systems, Protocol Specification, Version 2.1, Revision A. (2005), www.flexray.com 16. MOST Cooperation: MOST Specifications, revision 3.0 (2008), http://www.mostnet.de 17. Dietsche, K.H. (ed.): Automotive Sensors. Robert Bosch GmbH (2007) 18. Prosser, S.: Automotive Sensors: Past, Present and Future. Journal of Physics: Conference Series 76 (2007)
Automotive Live Forensics
223
19. Bishop, R.: Intelligent Vehicle Technology and Trends. Artech House, Boston (2005) 20. Stein, G., Mano, O., Shashua, A.: Vision-based ACC with a Single Camera: Bounds on Range and Range Rate Accuracy. In: IEEE Intelligent Vehicle Symosium (2003) 21. Suggs, T.: Vehicle Blind Spot Monitoring System (Patent no. 6880941) (2005) 22. Henze, K., Baur, R.: Seat Occupancy Sensor (Patent no. 7595735) (2009) 23. Redfern, S.: A Radar Based Mass Movement Sensor for Automotive Security Applications. IEE Colloquium on Vehicle Security Systems, 5/1–5/3 (1993) 24. Nilsson, D., Larson, U.: Simulated Attacks on CAN Busses: Vehicle Virus. In: AsiaCSN 2008 (2008) 25. Voget, S., Golm, M., Sanchez, B., Stappert, F.: Application of the AUTOSAR Standard. In: Navet, N., Simonot-Lion, F. (eds.) Automotive Embedded Systems Handbook. CRC Press, Boca Raton (2008) 26. Al-Kuwari, S., Wolthusen, S.: Algorithms for Advanced Clandestine Tracking in Short-Range Ad Hoc Networks. In: MobiSec 2010. ICST. Springer, Heidelberg (2010)
Research and Review on Computer Forensics∗ Hong Guo, Bo Jin, and Daoli Huang Key Laboratory of Information Network Security, Ministry of Public Security, People’s Republic of China (The 3rd Research Institute of Ministry of Public Security) Room 304, BiSheng Road 339, Shanghai 201204, China {guohong,jinbo,huangdaoli}@stars.org.cn
Abstract. With the development of Internet and information technology, the digital crimes are also on the rise. Computer forensics is an emerging research area that applies computer investigation and analysis techniques to help detection of these crimes and gathering of digital evidence suitable for presentation in courts. This paper provides foundational concept of computer forensics, outlines various principles of computer forensics, discusses the model of computer forensics and presents a proposed model. Keywords: Computer forensics, computer crime, digital evidence.
1
Introduction
The use of Internet and information technology has grown rapidly all over the world in the 21st century. Directly correlated to this growth is the increased amount of criminal activities that involve digital crimes or e-crimes worldwide. These digital crimes impose new challenges on prevention, detection, investigation, and prosecution of the corresponding offences. The emergence of highly technical nature of digital crimes was created a new branch of forensic science known as computer forensics. Computer forensics is an emerging research area that applies computer investigation and analysis techniques to help detection of these crimes and gathering of digital evidence suitable for presentation in courts. This new area combines the knowledge of information technology, forensics science, and law and gives rise to a number of interesting and challenging problems related to computer security and cryptography that are yet to be solved [1]. Computer forensics has recently gained significant popularity with many local law enforcement agencies. It is currently employed for judicial expertise in almost every enforcement activity. However, it is still behind other methods such as fingerprint analysis, because there have been fewer efforts to improve its accuracy. Therefore, the legal system is often in the dark as to the validity, or even the significance, of digital evidence [2]. ∗
This paper is supported by the Special Basic Research, Ministry of Science and Technology of the People's Republic of China, project number: 2008FY240200.
X. Lai et al. (Eds.): E-Forensics 2010, LNICST 56, pp. 224–233, 2011. © Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2011
Research and Review on Computer Forensics
225
This paper provides foundational concept of computer forensics, outlines various principles of computer forensics, discusses the model of computer forensics and presents a proposed model.
2
Definition of Computer Forensics
Those involved in computer forensics often do not understand the exact definition of computer forensics. In fact, computer forensics is a branch of forensic science pertaining to legal evidence found in computers and digital storage media. 2.1
Definition of Forensics and Forensic Science
The term forensics derives from the Latin “forensis”, which means “in open court or public”, which itself comes from the Latin “of the forum”, referring to an actual location—a “public squarer marketplace used for judicial and other business”. [3] In dictionaries forensics is defined as the process of using scientific knowledge for collecting, analyzing, and presenting evidence to the courts. The term forensic science is “the application of scientific techniques and principles to provide evidence to legal or related investigations and determinations”. [4] It aims to determining the evidential value of crime scene and related evidence. 2.2
Definition of Computer Forensics
Computer forensics is a branch of forensic science. The term computer forensics originated in the late 1980s with early law enforcement practitioners who used it to refer to examining standalone computers for digital evidence of crime. Indeed, the language used to describe computer forensics and even the definition of the term itself varies considerably among those who study and practice it. [5] Legal specialists commonly refer only to the analysis, rather than the collection, of enhanced data. By way of contrast, computer scientists have defined it as valid tools and techniques applied against computer networks, systems, peripherals, software, data, and/or users -to identify actors, actions, and/or states of interest [6]. According to Steve Hailey, Cyber security Institute, computer forensics is “The preservation, identification, extraction, interpretation, and documentation of computer evidence, to include the rules of evidence, legal processes, integrity of evidence, factual reporting of the information found, and providing expert opinion in a court of law or other legal and/or administrative proceeding as to what was found.” [7]. In Digital Forensics Research Workshop held in 2001, computer forensics is defined as “the use of scientifically derived and proven methods towards the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital source for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. ” However, many experts feel that a precise definition is not yet possible because digital evidence is recovered from devices that are not traditionally considered to be computers. Some researchers prefer to expand the definition such as definition by Palmer to include the collection and examination of all forms of digital data, including that found in cell phones, PDAs, iPods and other electronic devices [8].
226
H. Guo, B. Jin, and D. Huang
From a technical standpoint, Computer Forensics is formulated as an established set of disciplines and the very high standards in place for uncovering digital evidence extracted from personal computers and electronic devices (including those from large corporate systems and networks, across the Internet and the emerging families of cell phones, PDAs, iPods and other electronic devices) for court proceedings.
3
Principles of Computer Forensics
When dealing with computer forensics, the term “evidence” has the following meaning: “Any information and data of value to an investigation that is stored on, received, or transmitted by an electronic device. This evidence is acquired in physical or binary (digital) form that may be used to support or prove the facts of an incident. According to NIJ, the properties of digital evidence as follows: [9] z z z z 3.1
Is latent, like fingerprints or DNA evidence. Crosses jurisdictional borders quickly and easily. Is easily altered, damaged, or destroyed. Can be time sensitive. Rules of Evidence
Dye to the properties of digital evidence, the rules of evidence are very precise and exist to ensure that evidence is properly acquired, stored and unaltered when it is presented in the courtroom. RFC 3227 describes legal considerations related to gathering evidence. The rules require digital evidence to be: z z z z
z
3.2
Admissible: It must conform to certain legal rules before it can be put before a court. Authentic: The integrity and chain of custody of the evidence must be intact.[10] Complete: All evidence supporting or contradicting any evidence that incriminates a suspect must be considered and evaluated. It is also necessary to collect evidence that eliminates other suspects. Reliable: Evidence collection, examination, analysis, preservation and reporting procedures and tools must be able to replicate the same results over time. The procedures must not cast doubt on the evidence’s authenticity and/or on conclusions drawn after analysis. Believable: Evidence should be clear, easy to understand and believable. The version of evidence presented in court must be linked back to the original binary evidence otherwise there is no way to know if the evidence has been fabricated. Guidelines for Evidence Handling
It is s important to follow the rules of evidence in computer forensics investigations. There are a number of guidelines for handling digital evidence throughout the process of computer forensics, published by various groups, for example, Best Practices for Computer Forensics by SWGDE, Guidelines for Best Practice in the Forensic Examination of Digital Technology by IOCE, Electronic Crime Scene Investigation:
Research and Review on Computer Forensics
227
A Guide for First Responders by NIJ and Guide to Integrating Forensic Techniques into Incident Response by NIST. Of all the guidelines referred to above, the G8 principles proposed by IOCE is considered the most authoritative one. In March 2000, the G8 put forward a set of proposed principles for procedures relating to digital evidence. These principles provide a solid base from which to work during any examination done before law enforcement attends. G8 Principles – Procedures Relating to Digital Evidence [11] 1. When dealing with digital evidence, all general forensic and procedural principles must be applied. 2. Upon seizing digital evidence, actions taken should not change that evidence. 3. When it is necessary for a person to access original digital evidence, that person should be trained for the purpose. 4. All activity relating to the seizure, access, storage or transfer of digital evidence must be fully documented, preserved, and available for review. 5. An individual is responsible for all actions taken with respect to digital evidence whilst the digital evidence is in their possession. 6. Any agency, which is responsible for seizing, accessing, storing or transferring digital evidence is responsible for compliance with these principles. This set of principles can act as a solid foundation. However, as one principle states, if someone must touch evidence they should be properly trained. Training helps reduce the likelihood of unintended alteration of evidence. It also increases one’s credibility in a court of law if called to testify about actions taken before the arrival and/or involvement of the police. 3.3
Proposed Principles
According to the properties of digital evidences, we summarized the principles of computer forensics as follows: z z z z z z z
4
Practice in a timely manner Practice in a legal way Chain of custody Obey rules of evidence Minimize handling of the original evidence Document any changes in evidence Audit throughout the process
Models of Computer Forensics
Forensic practitioners and computer scientists both agree that “forensic models" are important for guiding the development in the computer forensics field. Models enable people to understand what that process does, and does not do. There are many models for the forensic process, such as Kruse and Heiser Model (2002), Forensics Process Model (NIJ, 2001), Yale University Model (Eoghan Casey, 2000), KPMG Model (McKemmish, 1999), Dittrich and Brezinski Model (2000),
228
H. Guo, B. Jin, and D. Huang
Mitre Model (Gary L. Palmer, 2002). Although the exact phases of the models vary somewhat, the models reflect the same basic principles and the same overall methodology. Most of models reviewed have element identification, collection, preservation, analysis, and presentation. To make the step more clear and precise, some of them added addition detail steps into the element. Organizations should choose the specific forensic model that is most appropriate for their needs. 4.1
Kruse and Heiser Model
Kruse and Heiser have developed a methodology for computer forensics referred to as three basic components that is acquire, authenticate and analyze[12](Kruse and Heiser, 2002). These components focus on maintaining the integrity of the evidence during the investigation. In detail the steps are: 1. Acquire the evidence without altering or damaging the original. Consisting of the following steps: a. Handling the evidence b. Chain of custody c. Collection d. Identification e. Storage f. Documenting the investigation 2. Authenticate that your recovered evidence is the same as the originally seized data; 3. Analyze the data without modifying it. Kruse and Heiser suggest that in computer forensics is the most essential element to fully document your investigation including all your steps taken. This is particularly important if due to the circumstances you did not maintain absolute forensic integrity then you can at least show the steps you did take. It is true that proper documentation of a computer forensic investigation is the most essential element and is commonly inadequately executed. 4.2
Forensics Process Model
The United States of America’s Department of Justice proposed a process model in the Electronic Crime Scene Investigation: A guide to first responders. [13] This model is abstracted from technology. This model consists four phases: 1. Collection; The first phase in the process is to identify, label, record, and acquire data from the possible sources of relevant data, while following guidelines and procedures that preserve the integrity of the data. 2. Examination; Examinations involve forensically processing large amounts of collected data using a combination of automated and manual methods to assess and extract data of particular interest, while preserving the integrity of the data.
Research and Review on Computer Forensics
229
3. Analysis; The next phase of the process is to analyze the results of the examination, using legally justifiable methods and techniques, to derive useful information that addresses the questions that were the impetus for performing the collection and examination. 4. Reporting; The final phase is reporting the results of the analysis, which may include describing the actions used, explaining how tools and procedures were selected, determining what other actions need to be performed and providing recommendations for improvement to policies, guidelines, procedures, tools, and other aspects of the forensic process.
Fig. 1. Forensic Process [14]
There is a correlation between the ‘acquiring the evidence’ stage identified by Kruse and Heiser and the ‘collection’ stage proposed here. ‘Analyzing the data’ and ‘analysis’ are the same in both frameworks. Kruse has, however, neglected to include a vital component: reporting. This is included by the Department of Justice model. 4.3
Yale University Model
Eoghan Casey, a System Security Administrator at Yale University, also the author of Digital Evidence and Computer Crime (Casey, 2000) and the editor of the Handbook of Computer Crime Investigation (Casey, 2002), has developed the following digital evidence guidelines (Casey, 2000). Casey: Digital Evidence Guidelines. [15] 1. Preliminary Considerations 2. Planning 3. Recognition 4. Preservation, collection and documentation a. If you need to collect the entire computer (image) b. If you need all the digital evidence on a computer but not the hardware (image) c. If you only need a portion of the evidence on a computer (logical copy) 5. Classification, Comparison and Individualization 6. Reconstruction This model focuses on processing and examining digital evidence. In Casey’s models, the first and last steps are identical. Casey also places the focus of the forensic process on the investigation itself.
230
4.4
H. Guo, B. Jin, and D. Huang
DFRW Model
The Digital Forensics Research Working Group (DFRW) developed a model with the following steps: identification; preservation; collection; examination; analysis; presentation, and decision. [16] This model puts in place an important foundation for future work and includes two crucial stages of the investigation. Components of an investigation stage as well as presentation stage are present. 4.5
Proposed Model
The previous sections outline several important computer forensic models. In this section a new model will be proposed for computer forensics. The aim is to merge the existing models already mentioned to compile a reasonably complete model. The model proposed in this paper consists of nine components. They are: identification, preparation, collection, preservation, examination, analysis, review, documentation and report.
Fig. 2. Proposed Model of computer forensics
4.5.1 Identification 1. Identify the purpose of investigation. 2. Indentify resources required. 3. Indentify sources of digital evidence. 4. Indentify tools and techniques to use. 4.5.2 Preparation The Preparation stage should include the following:
Research and Review on Computer Forensics
231
1. All equipment employed should be suitable for its purpose and maintained in a fully operational condition. 2. People accessing the original digital evidence should be trained to do so. 3. Preparation of search warrants, and monitoring authorizations and management support if necessary. 4. Develop a plan that prioritizes the sources, establishes the order in which the data should be acquired and determines the amount of effort required. 4.5.3 Collection Methods of acquiring evidence should be forensically sound and verifiable. 1. Ensures no changes are made to the original data. 2. Security algorithms are provided to take an initial measurement of each file, as well as an entire collection of files. These algorithms are known as “hash” methodologies. 3. There are two methods for performing the copy process: z Bit-by-Bit Copy: This process, in order to be forensically sound, must use write blocker hardware or software to prevent any change to the data during the investigation. Once completed, this copy may be examined for evidence just as if it were the original. z Forensic “Image” The examiner uses special software and procedures to create the image file. An image file cannot be altered without altering the hash algorithm. None of the files contained within the image file can be altered without altering the hash algorithm. Furthermore, a cross validation test should be performed to ensure the validity of the process. 4.5.4 Preservation 1. Ensure that all digital evidence collected is properly documented, labeled, marked, photographed, video recorded or sketched, and inventoried. 2. Ensure that special care is taken with the digital evidences material during transportation to avoid physical damage, vibration and the effects of magnetic fields, electrical static and large variation of temperature and humidity. 3. Ensure that the digital evidence is stored in a secure, climate-controlled environment or a location that is not subject to extreme temperature or humidity. Ensure that the digital evidence is not exposed to magnetic fields, moisture, dust, vibration, or any other elements that may damage or destroy it. 4.5.5 Examination 1. Examiner should review documentation provided by the requestor to determine the processes necessary to complete the examination. 2. The strategy of the examination should be agreed upon and documented between the requestor and examiner. 3. Only appropriate standards, techniques and procedures and properly evaluated tools should be used for the forensic examination. 4. All standard forensic and procedural principles must be applied.
232
H. Guo, B. Jin, and D. Huang
5. Avoid conducting an examination on the original evidence media if possible. Examinations should be conducted on forensic copies or via forensic image files. 6. All items submitted for forensic examination should first be reviewed for the integrity. 4.5.6 Analysis The foundation of forensics is using a methodical approach to reach appropriate conclusions based on the evidence found or determine that no conclusion can yet be drawn. The analysis should include identifying people, places, items, and events, and determining how these elements are related so that a conclusion can be reached. 4.5.7 Review The examiner’s agency should have a written policy to establishing the protocols for technical and administrative review. All work undertaken should be subjected to both technical and administrative review. 1. Technical Review Technical review should include consideration of the validity of all the critical examination findings and all the raw data used in preparation of the statement/report. It should also consider whether the conclusions drawn are justified by the work done and the information available. The review may include an element of independent testing, if circumstances warrant it. 2. Administrative Review Administrative review should ensure that the requester’s needs have been properly addressed, editorial correctness and adherence to policies. 4.5.8 Documentation 1. All activities relating to collection, preservation, examination or analysis of digital evidence must be completely documented. 2. Documentation should include evidence handling and examination documentation as well as administrative documentation. Appropriate standardized forms should be used to document. 3. Documentation should be preserved according to the examiner’s agency policy. 4.5.9 Report 1. The style and content of written reports must meet the requirements of the criminal justice system for the country of jurisdiction, such as General Principles of Judicial Expertise Procedure in China. 2. Reports issued by the examiner should address the requestor’s needs. 3. The report is to provide the reader with all the relevant information in a clear, concise, structured and unambiguous manner.
5
Conclusion
In this paper, we have reviewed the definition, the principles and several main categories models of computer forensics. In addition, we proposed a practical model that establishes a clear guideline of what steps should be followed in a forensic process. We suggest that such a model could be of great value to legal practitioners.
Research and Review on Computer Forensics
233
With more and more criminal behavior becomes linked to technology and the Internet, the necessity of digital evidence in litigation has increased. This evolution of evidence means that investigative strategies also must evolve in order to be applicable today and in the not so distant future. Due to this trend, the field of computer forensics will, no doubt, become more important to help curb the occurrences of crimes.
References 1. Hui, L.C.K., Chow, K.P., Yiu, S.M.: Tools and technology for computer forensics: research and development in Hong Kong. In: Proceedings of the 3rd International Conference on Information Security Practice and Experience, Hong Kong (2007) 2. Wagner, E.J.: The Science of Sherlock Holmes. Wiley, Chichester (2006) 3. New Oxford American Dictionary. 2nd edn. 4. Tilstone, W.J.: Forensic science: an encyclopedia of history, methods, and techniques (2006) 5. Peisert, S., Bishop, M., Marzullo, K.: Computer forensics in forensis. ACM SIGOPS Operating Systems Review 42(3) (2008) 6. Ziese, K.J.: Computer based forensics-a case study-U.S. support to the U.N. In: Proceedings of CMAD IV: Computer Misuse and Anomaly Detection (1996) 7. Hailey, S.: What is Computer Forensics (2003), http://www.cybersecurityinstitute.biz/forensics.htm 8. Abdullah, M.T., Mahmod, R., Ghani, A.A.A., Abdullah, M.Z., Sultan, A.B.M.: Advances in computer forensics. International Journal of Computer Science and Network Security 8(2), 215–219 (2008) 9. National Institute of Justice.: Electronic Crime Scene Investigation A Guide for First Responders, 2nd edn. (2001), http://www.ncjrs.gov/pdffiles1/nij/219941.pdf 10. RCMP: Computer Forensics: A Guide for IT Security Incident Responders (2008) 11. International Organization on Computer Evidence. G8 Proposed Principles for the Procedures Relating to Digital Evidence (1998) 12. Baryamureeba, V., Tushabe, F.: The Enhanced Digital Investigation Process Model Digital Forensics Research Workshop (2004) 13. National Institute of Justice.: Electronic Crime Scene Investigation A Guide for First Responders (2001), http://www.ncjrs.org/pdffiles1/nij/187736.pdf 14. National Institute of Standards and Technology.: Guide to Interating Forensic Techniques into Incident Response (2006) 15. Casey, E.: Digital Evidence and Computer Crime, 2nd edn. Elsevier Academic Press, Amsterdam (2004) 16. National Institute of Justice.: Results from Tools and Technologie Working Group, Goverors Summit on Cybercrime and Cyberterrorism, Princeton NJ (2002)
Text Content Filtering Based on Chinese Character Reconstruction from Radicals Wenlei He1, Gongshen Liu1, Jun Luo2, and Jiuchuan Lin2 1
School of Information Security Engineering Shanghai Jiao Tong University 2 Key Lab of Information Network Security of Ministry of Public Security The Third Research Institute of Ministry of Public Security
Abstract. Content filtering through keyword matching is widely adopted in network censoring, and proven to be successful. However, a technique to bypass this kind of censorship by decomposing Chinese characters appears recently. Chinese characters are combinations of radicals, and splitting characters into radicals pose a big obstacle to keyword filtering. To tackle this challenge, we proposed the first filtering technology based on combination of Chinese character radicals. We use a modified Rabin-Karp algorithm to reconstruct characters from radicals according to Chinese character structure library. Then we use another modified Rabin-Karp algorithm to filter keywords among massive text content. Experiment shows that our approach can identify most of the keywords in the form of combination of radicals and yields a visible improvement in the filtering result compared to traditional keyword filtering. Keywords: Chinese character radical, multi-pattern matching, text filtering.
1
Introduction
In the past decades, Internet has evolved from an emerging technology to a ubiquitous service. The Internet can fulfill people’s need for knowledge in today’s information society by its quick spread of all kinds of information. However, due to its virtuality and arbitrariness nature, Internet conveys fruitful information as well as harmful information. The uncontrolled spread of harmful information may have bad influence on social stability. Thus, it’s important to effectively manage the information resources of web media, which is also a big technical challenge due to the massive amount of information on the web. Various kinds of information are available on the web, text, image, video, etc. Text is the dominant among all of them. Netizens are accustomed to negotiating through emails, participating in discussion on forums or BBS, recording seeing or feeling on blogs. Since everyone can participate in those activities and create shared text content on the web, it’s quite easy for evils to create and share harmful texts. To keep a healthy network environment, it’s essential to censor and filter text content on the web so as to keep netizens away from the infestation of harmful information. The most prominent feature of harmful information is that they are always closely related to several keywords. Thus, keyword filtering is widely adopted to filter text X. Lai et al. (Eds.): E-Forensics 2010, LNICST 56, pp. 234–240, 2011. © Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2011
Text Content Filtering Based on Chinese Character Reconstruction from Radicals
235
content [1], and proven to be quite successful. While the priest climbs a post, the devil climbs ten, keyword filtering are not always effective. Since Chinese characters are combinations of character radicals [2], many characters can be decomposed into radicals, some characters are themselves radicals. This made it possible to bypass keyword filtering without affecting understanding the meaning of those keywords by replacing one or more characters in keyword with combination of character radicals. E.g. use “ ” to represent “ ”. ” by matching Traditionally, we can filter harmful document related to “ ” with “ ”, causing the keyword, but some evil sites replaced “ current filtering mechanism to fail. Even worse, since the filtering mechanism has failed, people can search for harmful keywords like “ ” in commodity search engines, and get plenty of harmful documents from search result. Many evil sites are now aware of this weakness of the current filtering mechanism, and the trick mentioned above to bypass keyword filtering is becoming more and more popular. We analyzed a sample of harmful documents collected by National Engineering Laboratory of Content Analysis. Our analysis shows that:
运云力
运动
法轮功
法轮功 三去车仑工力 三去车仑工力
• A visible portion of harmful documents has adopted the decomposing trick to bypass the filtering mechanism, see Table 1. • Most of the documents involving decomposed characters contain harmful information. Table 1. Statistic of sampled harmful documents
Category Reactionary Adult Political Criticism Public Hazard
Proportion 9% 8% 10% 6%
Sample Size 893 2781 1470 1322
The second column in the table shows the proportion of harmful documents containing intentionally decomposed Chinese characters in a category (number of harmful documents containing decomposed characters / number of harmful documents). Decomposing Chinese characters into radicals is a new phenomenon on the web. The idea behind this trick is simple, but it can completely fail the traditional keyword filtering. Filtering against this trick is a new research topic without much attention now. In this paper, we proposed the first filtering technology against those intentionally decomposed characters. We first set up a Chinese character decomposing structure library. Section 2 gives an overview on the principles of how to decompose Chinese characters. Section 3 gives an overview of our filtering system. We used a modified Rabin-Karp [3] multi-pattern matching algorithm to reconstruct characters from radicals before applying keyword filtering. After reconstruction, we used another modified Rabin-Karp algorithm to filter keywords. We described our modification to Rabin-Karp in Section 3.1, 3.2. In Section 4, we compared our filtering results with traditional filtering, and also showed the efficiency improvement of our modified Rabin-Karp algorithm in reconstruction. We gave a conclusion of our work in Section 5.
236
2
W. He et al.
Principles for Chinese Character Decomposing
Chinese character is structured two-dimension character. Every Chinese character is composed of several character radicals. Chinese Linguistics and Language Administration gave an official definition for character radical in : composing unit of Chinese characters that is made up of strokes [4]. Character radical has a hierarchy structure. A character radical can be made up of several smaller character radicals. E.g. Chinese character “ ” is composed of “ ” and “ ”, these two are level 1 radicals for “ ”. “ ” is made up of “ ” and “ ”, and these two are level 2 radicals for “ ”. Since level 1 decomposing is more intuitive than level 2 decomposing, e.g.“ ” looks like “ ”, but it’s hard for people to think of “ ” when looking at “ ”, in order to make words understandable, usually only level 1 decomposing is used in bypass filtering. We see no level 2 decomposing in the harmful document collection from National Engineering Laboratory of Content Analysis. Accordingly, we consider only level 1 decomposing. The structure of a Chinese character usually falls into the following categories: left-right, up-down, left-center-right, up-center-down, surrounded, half-surrounded, monolith. Intuitively, left-right, left-center-right structure characters are more understandable after decomposing. Statistics [5] shows that left-right structure counts for over 60 percent of all Chinese characters; up-down structure counts for over 20 percent. We summarize these observations as the following conclusions:
想 木目 心
想 相 相
想
木
相 目
心
想
木目
• Level 1 decomposing is more intuitive • Left-right, left-center-right decomposing is more intuitive We manually decomposed some Chinese characters defined in GB2312 charset which are easily understandable after decomposing. Based on the above conclusions, most of the characters we choose to decompose are left-right characters, and we use only level 1 decomposing. The outcome of our decomposing work is a Chinese character decomposing structure library (character structure library for short) in the form of character-structure-radical triplets, as shown in Table 2. Table 2. Sample of Chinese character decomposing structure library
Character
权 格 就 动 树 起
Structure Left-right Left-right Left-right Left-right Left-center-right Half-surrounded
Radicals
木又 木各 京尤 云力 木又寸 走己 Some radicals are variants of characters, some are not. Take “河” for example, if we decompose it into “水” and “可”, it would be confusing and not understandable. Instead, we choose to decompose it into “三” and “可”, which is more meaningful.
Text Content Filtering Based on Chinese Character Reconstruction from Radicals
3
237
Keyword Filtering Based on Chinese Character Reconstruction
Figure 1 gives an overview on our filtering system. HTML files shown in Figure 1 are collected via collectors in network. Preprocessing will remove all HTML tags, punctuations, and white-spaces. If punctuations and white-spaces are not removed, those punctuations in between characters of a keyword may cause keyword matching to fail. Next, we take the decomposed characters in character structure library as patterns, and use multi-pattern matching algorithm to find out and recombine all intentionally decomposed characters. After character reconstruction, we use another multi-pattern matching algorithm to search for keywords, and filter out all documents that contain any keywords. In the above process, we used two multi-pattern matching algorithms, and the efficiency of the two algorithms is vital to the performance of the whole filtering system. We carefully selected the two algorithms. We modified Rabin-Karp [3] algorithm to better fit our scenario of character reconstruction and keyword filtering. We describe our modification to Rabin-Karp algorithm in Section 3.1 and 3.2.
Fig. 1. Overview of filtering system
3.1
Chinese Character Reconstruction
Recombining Chinese character from character radicals is a multi-pattern matching problem in nature. Pattern matching [6] can be divided into single pattern matching and multi-pattern matching. Let P = {p1, p2,...,pk} be a set of patterns, which are strings of characters from a fixed alphabet ∑. Let T=t1, t2,...,tN be a large text, again consisting of characters from ∑. Multi-pattern matching is to find all occurrences of all the patterns of P in T. Single pattern matching is to find all occurrences of one pattern pi in T. KMP (Knuth-Morris-Pratt) [7] and BM (Boyer-Moore) [8] are classical algorithms for single pattern matching. AC (Ano-Corasick) [9] and WuManber [10] are algorithms for multi-pattern matching. AC is a state machine based algorithm, which requires large amount of memory resources. WM is an extension of BM, and it has the best performance in average case. [11] proposed an improved WM algorithm. The algorithm eliminates the functional overlap of the table HASH and SHIFT, and computes the shift distances in an aggressive manner. After each test, the algorithm examines the character next to the scan window to maximize the shift distance. The idea behind this improvement is consistent with that of the quick-search (QS) algorithm [12].
238
W. He et al.
From the observations in Section 2, we know that most patterns in character structure library are of length 2, few are of length 3. Since the prefix and suffix of WM algorithm overlaps a lot for patterns of length 2 and 3, it’s not efficient to use WM. On the other hand, WM algorithm for such short patterns will act similar to Rabin-Karp algorithm, except that it’s less efficient due to the tedious and duplicated computation and comparison of prefix and suffix hash. Rabin-Karp seems suitable for our purpose, but it requires the patterns to have a fixed length, thus we cannot use it directly. Here we modified Rabin-Karp so that it can search for multi-patterns of both length 2 and 3. We replaced the set of hash values of pattern prefix with a hash map. The keys of hash map are hash values of pattern prefixes (prefix length is 2); the value of hash map is 0 for patterns of length 2; the one character following the prefix (the last character) for patterns of length 3. When current substring’s hash equals any key in the hash map, we retrieve the corresponding value in the hash map. If a non-zero value is encountered, just compare the non-zero value (the third character in pattern) with the character following the prefix, a match (pattern of length 3) is found if the two equals. If the value we get is zero, a match is found immediately (pattern of length 2). We further optimized Rabin-Karp by selecting a natural rolling hash function. In our modified version of RK, hash is calculated on two Chinese characters since prefix length is 2. The length of a Chinese character is two bytes in Unicode and many other encoding, thus the length of 2 Chinese characters equals the length a natural WORD (int) on 32-bit machines. Based on this observation, we take the four bytes code of 2 Chinese characters directly as its hash. This straightforward hashing has the following advantages: • The hash value does not need any addition computation • The probability of collision is zero. Experiment shows that our modified RK outperforms the improved WM [11] in character reconstruction. 3.2
Keyword Filtering
Keyword filtering is also a problem of multi-pattern matching. Since the minimum length of all keywords is 2, WM is still not a good choice for keyword filtering due to the overlapping of prefix and suffix. We still choose to use RK. We need to modify RK further, since length of keywords (patterns) is mostly between 2 and 5 this time. We used the same straightforward rolling hash as in section 3.1, since prefix length is still 2. We still replace the set of hash values of pattern prefix with a hash map. We keep keys as the same in section 3.1, but use pointers pointing to the character following the prefix as values. When current substring’s hash equals any key in the hash map, we retrieve the corresponding value in the hash map as before. Then compare the string pointed to by the retrieved pointer with the string starting from the character following the prefix to see if they are a match. Since most of our keywords are short, there won’t be plenty of character comparisons, thus the algorithm is quite efficient.
Text Content Filtering Based on Chinese Character Reconstruction from Radicals
4
239
Experiments
To demonstrate the effectiveness of our filtering system, we used the same harmful document collection from National Engineering Laboratory of Content Analysis as mentioned in Section 1, 2 as test data. We selected 752 words in all documents as the keywords to filter. These words show up 21973 times in all documents. We input the document collection (6466 documents in all) into the filtering system. Our filtering system reconstructed those decomposed characters, and then applied keyword filtering on the processed text. A document is filtered out if it contains any keywords. The result in table 3 shows that our filtering system can recognize most of the keywords even if characters of these keywords are decomposed into radicals. As a comparison, we applied keyword filtering on the input without reconstructing characters from radicals. Table 3. Effect of our filtering based on Character Reconstruction
Keyword Matches
Filtered Documents
Filtering based on character reconstruction
99.57% (21878)
99.77% (6451)
Filtering without reconstruction
91.36% (20074)
92.11% (5956)
As shown in table 3, our approach can effective identify most of the keywords even in the form on combination of radicals. It yields a visible improvement in the filtering result compared to traditional filtering without character reconstruction. As more and more evil sites begin to use this trick, and the proportion of harmful documents containing intentionally decomposed characters increases, the improvement will be more significant in the future. However, our approach also has its drawbacks. From table 3, we can see that there’re still some keywords that cannot be identified with our approach (about 0.23%). Since the first radical of a character might be combined with character left to it mistakenly, some keywords cannot be identified. E.g. for “ ”, “ ” and “ ” is combined into “ ” mistakenly, thus keyword “ ” cannot be identified after reconstruction. Our current approach cannot handle this kind of situations. To eliminate such kind of wrong combinations in future work, we can take semantic into consideration when recombining radicals. We also tested the performance of our character reconstruction algorithm. It shows that our modified Rabin-Karp algorithm outperforms the improved Wu-Manber algorithm proposed in [11] by 35% on average in character reconstruction. To further improve the performance of the whole system, we can even consider combining character reconstruction and keyword filtering into one step in future work, using decomposed keywords as patterns. This would cause the hash table in Rabin-Karp to blow, since there might be several ways to decompose a single keyword. And it’s trading space for speed.
半
柈
大小和卓木半反乱 木 叛乱
240
5
W. He et al.
Conclusions
Decomposing Chinese characters to bypass traditional keyword filtering has become a popular trick that many evil sites use now. In this paper we proposed a filtering technology against this kind of trick. We first use a modified Rabin-Karp algorithm to reconstruct Chinese characters from radicals. Then apply keyword filtering on the processed text. This is the first filtering system ever known against the trick. Experiment has showed the effectiveness and efficiency of our approach. In the future, we can further improve the filtering technology by taking semantic into consideration when recombining characters or even try to combine reconstruction and filtering into a single step. Acknowledgement. The work described in this paper is fully supported by the National Natural Science Foundation of China (No.60703032), and the Opening Project of Key Lab of Information Network Security of Ministry of Public Security.
References 1. Oard, D.W.: The State of the Art in Text Filtering. User Modeling and User-Adapted Interaction 7(3) (1997) 2. Zhang, X.: Research of Chinese Character Structure of 20th Century. Language Research and Education (5), 75–79 (2004) 3. Karp, R.M., Rabin, M.O.: Efficient randomized pattern-matching algorithms. IBM Journal of Research and Development 31(2) (March 1987) 4. Chinese Linguistics and Language Administration. GB13000.1 Chinese Character Specification for Information Processing. Language and Literature Press, Beijing (1998) 5. Li, X.: Discussion and Opinion of the Evaluation Criterion of Chinese Calligraphy, http://www.wenhuacn.com/ 6. Lee, R.J.: Analysis of Fundamental Exact and Inexact Pattern Matching Algorithms 7. Knuth, D.E.: Fast Pattern Matching in Strings. SIAM J. Comput. 6(2) (June 1977) 8. Boyer, R.S., Moore, J.S.: A Fast String Searching Algorithm. Communications of ACM 20(10) (October 1977) 9. Aho, A.V., Margaret, J.C.: Efficient string matching: An aid to bibliographic search. Communications of the ACM 18(6), 333–340 (1975) 10. Wu, S., Manber, U.: A Fast Algorithm for Multi-Pattern Searching. Technical Report TR 94-17, University of Arizona at Tuscon (May 1994) 11. Yang, D., Xu, K., Cui, Y.: An Improved Wu-Manber Multiple Patterns Matching Algorithm. IPCCC (April 2006) 12. Sunday, D.M.: A very fast substring search algorithm. Communications of the ACM 33(8), 132–142 (1990)
Disguisable Symmetric Encryption Schemes for an Anti-forensics Purpose Ning Ding, Dawu Gu, and Zhiqiang Liu Department of Computer Science and Engineering Shanghai Jiao Tong University Shanghai, 200240, China {dingning,dwgu,ilu_zq}@sjtu.edu.cn
Abstract. In this paper, we propose a new notion of secure disguisable symmetric encryption schemes, which captures the idea that the attacker can decrypt a cipher text he encrypted to different meaningful values when different keys are put to the decryption algorithm. This notion is aimed for the following anti-forensics purpose: the attacker can cheat the forensics investigator by decrypting an encrypted file to a meaningful file other than that one he encrypted, in the case that he is catched by the forensics investigator and ordered to hand over the key for decryption. We then present a construction of secure disguisable symmetric encryption schemes. Typically, when an attacker uses such encryption schemes, he can achieve the following two goals: if the file he encrypted is an executable malicious file, he can use fake keys to decrypt it to a benign executable file, or if the file he encrypted is a data file which records his malicious activities, he can also use fake keys to decrypt it to an ordinary data file, e.g. a song or novel file. Keywords: Symmetric Encryption, Obfuscation, Anti-forensics.
1
Introduction
Computer forensics is usually defined as the set of techniques that can be applied to understand if and how a system has been used or abused to commit mischief [8]. The increasing use of forensics techniques has led to the development of “anti-forensics” techniques that can make this process difficult, or impossible [2][7][6]. That is, the goal of anti-forensics techniques is to frustrate forensics investigators and their techniques. In general, the anti-forensics techniques mainly contains those towards data wiping, data encryption, data steganography and techniques for frustrating forensics software etc. When an attacker performs an attack on a machine (called the target machine), there are much evidence of the attack left in the target machine and his own machine (called the tool machine). The evidence usually includes malicious data, malicious programs etc. used throughout the attack. To frustrate
This work was supported by the Specialized Research Fund for the Doctoral Program of Higher Education (No. 200802480019).
X. Lai et al. (Eds.): E-Forensics 2010, LNICST 56, pp. 241–255, 2011. c Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2011
242
N. Ding, D. Gu, and Z. Liu
forensics investigators to gather such evidence, the attacker usually tries to erase these evidence from the target machine and the tool machine after or during the attack. Although erasing the evidence may be the most efficient way to prevent the attacker from being traced by the forensics investigator, the attacker sometimes needs to store some data and malicious programs in the target machine or the tool machine so as to continue the attack later. In this case the attacker may choose to encrypt the evidence and then later decrypt it when needed. A typical encryption operation for a file (called the plain text) is to first encrypt it and then erase the plain text. Thus after this encrypting operation, it seems that there is only the encrypted file (called the cipher text) in the hard disk and does not exist the plain text. However, some forensics software can recover the seemingly erased file or retrieve the plain text corresponding to a cipher text in the hard disk by making use of the physical properties of hard disks and the vulnerability of the operation systems. Thus, some anti-forensics researchers proposed some techniques on how to really erase or encrypt data such that no copy of the data or plain text still exists in the hard disk. By adopting such anti-forensics techniques, it can be ensured that there exist only encrypted data left in the machine. Thus, if the encryption scheme is secure in cryptographic sense, the forensics investigator cannot find any information on the data if he does not know the private key. Hence it seems that by employing the really erasing techniques and a secure encryption scheme, the attacker could realize secure encryption of malicious data and programs and avoid accusation even if the forensics investigator can gather cipher texts from the target machine or the tool machine since none can find any information from these cipher texts. But is this really true in all cases? Consider such a case. The attacker uses a secure encryption scheme to encrypt a malicious executable file. But later the forensics investigator catches him and also controls the tool or target machines absolutely. Suppose the forensics investigator can further find the encrypted file of the malicious program by scanning the machine. Then the forensics investigator orders the attacker to hand over the private key so as to decrypt the file to obtain the malicious program. In this case, the attacker cannot hand over a fake key to the investigator since by using this fake key as the decryption key, either the decryption cannot proceed successfully or even if the decryption can proceed successfully, the decrypted file is usually not an executable file. This shows to the investigator that the attacker lies to him. Thus the inquest process will not end unless the attacker hands over the real key. So it can be seen that the secrecy of the cipher text cannot be ensured in this case. The above discussion shows that ordinary encryption schemes may be insufficient for this anti-forensics purpose even if they possess strong security in cryptographic sense (e.g. IND-CCA2). One method of making the attacker able of cheating the forensics investigator is to let the encrypted file has multiple valid decryptions. Namely, each encryption of an executable file can be decrypted to more than one different executable files. Assuming such encryption schemes exist, in the above case when ordered to hand over the real key, the attacker can
Disguisable Symmetric Encryption
243
hand over one or more fake keys to the forensics investigator and the cipher text can be correspondingly decrypted to one or many benign executable programs, which are not the malicious program. Then the attacker can cheat the investigator that the program encrypted previously would be actually a benign program instead of a malicious program. Thus, the forensics investigator cannot accuse the attacker that he lies to the investigator. We say that an encryption scheme with such security is disguisable (in anti-forensics setting). It can be seen that the disguisable encryption may be only motivated for the anti-forensics purpose and thus the standard encryption study does not investigate it explicitly and to our knowledge no existing encryption scheme is disguisable. Thus, in this paper we are interested in the question how to construct disguisable encryption schemes and try to provide an answer to this question. 1.1
Our Result
We provide a positive answer to the above question with respect to the symmetric encryption. That is, we first put forward a definition of secure disguisable symmetric encryption which captures the idea that a cipher text generated by the attacker can be decrypted to different meaningful plain texts when using different keys to the decryption algorithm. A bit more precisely, the attacker holds a real key and several fake keys and uses the real key to encrypt a file to output the cipher text. Then if the attacker is controlled by the forensics investigator and ordered to hand over the key to decrypt the cipher text, the attacker can hand over one or more fake keys and claims that these keys include the real one. We also require that the forensics investigator cannot learn any information of the number of all the keys the attacker holds. Then we present a construction of secure disguisable symmetric encryption schemes. Informally, our result can be described as follows. Claim 1. There exists a secure disguisable symmetric encryption scheme. When an attacker encrypted a file using such encryption schemes, he can cheat the forensics investigator later by decrypting the encryption of the malicious file to another file. In particular, if an attacker used a secure disguisable symmetric encryption scheme to encrypt a malicious executable file and later is ordered to decrypt the cipher text, then the attacker can decrypt the cipher text to a benign executable file, or decrypt it to a malicious program other than the real encrypted one which, however, is unrelated to the attack. Or, if the attacker encrypted some data file which records his malicious activities, then later he can decrypt this cipher text to an ordinary data file, such as a song or a novel file. In both cases, the forensics investigator cannot recognize attacker’s cheating activities. For an encryption scheme, all security is lost if the private key is lost. Thus the attacker who uses a disguisable encryption scheme should ensure that the keys (the real one and many fakes ones) can be stored in a secure way. In the last part of this paper, we also provide some discussion on how to securely manage the keys.
244
1.2
N. Ding, D. Gu, and Z. Liu
Our Technique
Our construction of disguisable symmetric encryption schemes heavily depends on the the recent result of obfuscating multiple-bit point and set-membership functions proposed by [4]. Loosely speaking, an obfuscation of a program P is a program that computes the same functionality as P computes, but any adversary can only use this functionality and cannot learn anything beyond it, i.e., the adversary cannot reverse-engineering nor understand the code of the obfuscated program. A multiple-bit point function M BP Fx,y is the one that on input x outputs y and outputs ⊥ on all other inputs. As shown by [4], an obfuscation for multiple-bit point functions can be applied to construct a symmetric encryption scheme: The encryption of a message m with key k is letting O(M BP Fk,m ) be the cipher text. To decrypt the cipher text with k is to compute O(M BP Fk,m )(k), which output is m. Inspired by [4], we find that an obfuscation for multiple-bit set-membership functions can be used to construct a disguisable symmetric encryption scheme. A multiple-bit set-membership function M BSF(x1 ,y1 ),(x2 ,y2 ),···,(xt ,yt ) is the one that on input xi outputs yi for. Our idea for constructing a disguisable symmetric encryption scheme is as follows: to encrypt y1 with the key x1 , we choose t − 1 more fake keys x2 , · · · , xt and arbitrary y2 , · · · , yt and let the obfuscation of M BSF(x1 ,y1 ),(x2 ,y2 ),···,(xt ,yt ) be the cipher text. Thus the cipher text (also viewed as a program) on input xi outputs yi . This means the cipher text can be decrypted to many values. In this paper, we will formally illustrate and extend this basic idea as well as some necessary randomized techniques to construct a secure disguisable symmetric encryption scheme which can possess the required security. 1.3
Outline of This Paper
The rest of this paper is as follows. Section 2 presents the preliminaries. Section 3 presents our result, i.e. the definition and the construction of the disguisable symmetric encryption scheme as well as some discussion of how to securely store and manage keys for an attacker. Section 4 summarizes this paper.
2
Preliminaries
This section contains the notations and definitions used throughout this paper. 2.1
Basic Notions
A function μ(·), where μ : N → [0, 1] is called negligible if μ(n) = n−ω(1) (i.e., 1 μ(n) < p(n) for all polynomial p(·) and large enough n’s). We will sometimes use neg to denote an unspecified negligible function. The shorthand “PPT” refers to probabilistic polynomial-time, and we denote by PPT machines non-uniform probabilistic polynomial-time algorithms unless stated explicitly.
Disguisable Symmetric Encryption
245
We say that two probability ensembles {Xn }n∈N and {Yn }n∈N are computationally indistinguishable if for every PPT algorithm A, it holds that | Pr[A(Xn ) = 1] − Pr[A(Yn ) = 1]| = neg(n). We will sometimes abuse notation and say that the two random variables Xn and Yn are computationally indistinguishable when each of them is a part of a probability ensemble such that these ensembles {Xn }n∈N and {Yn }n∈N are computationally indistinguishable. We will also sometimes drop the index n from a random variable if it can be infer from the context. In most of these cases, the index n will be the security parameter. 2.2
Point Functions, Multi-bit Point and Set-Membership Functions
A point function, P Fx : {0, 1}n → {0, 1}, outputs 1 if and only if its input matches x, i.e., P Fx (y) = 1 iff y = x, and outputs 0 otherwise. A point function with multiple-bit output, M BP Fx,y : {0, 1}n → {y, ⊥}, outputs y if and only if its input matches x, i.e., M BP Fx,y (z) = y iff z = x, and outputs ⊥ otherwise. A multiple-bit set-membership function, M BSF(x1 ,y1 ),···,(xt ,yt ) : {0, 1}n → {y1 , · · · , yt , ⊥} outputs yi if and only if the input matches xi and outputs ⊥ otherwise, where t is at most a polynomial in n. 2.3
Obfuscation
Informally, an obfuscation of a program P is also a program that computes the same functionality as P but its code can hide all information beyond the functionality. That is, the obfuscated program is fully “unintelligent” and any adversary cannot understand nor reverse-engineering it. This paper adopts the definition of obfuscation proposed by [4][3][9]. Definition 1. Let F be a family of functions. A uniform PPT O is called an obfuscator of F, if: Approximate Functionality: for any F ∈ F, Pr[∃x, O(F (x)) = F (x)] is negligible. Here the probability is taken over the coin tosses of O. Polynomial Slowdown: There exists a polynomial p such that, for any F ∈ F, O(F ) runs in time at most p(TF ), where TF is the worst-case running-time of F . Weak Virtual black-box property: For every PPT distinguisher A and any polynomial p, there is an (non-uniform) PPT simulator S, such that for any 1 . F ∈ F, Pr[A(O(F )) = 1] − Pr[A(S F (1|F | )) = 1] ≤ p(n) The theoretical investigation of obfuscation was initialized by [1]. [4] presented a modular approach to construct an obfuscation for multiple-bit point and setmembership functions based on an obfuscation for point functions [3][5]. 2.4
Symmetric Encryption
We recall the standard definitions of a symmetric (i.e. private-key) encryption scheme. We start by presenting the syntax definition as follows:
246
N. Ding, D. Gu, and Z. Liu
Definition 2. (Symmetric encryption scheme). A symmetric or private-key encryption scheme SKE = (G; E; D) consists of three uniform PPT algorithms with the following semantics: 1. The key generation algorithm G samples a key k. We write k ← G(1n ) where n is the security parameter. 2. The encryption algorithm E encrypts a message m ∈ {0, 1}poly(n) and produces a cipher text C. We write C ← E(k; m). 3. The decryption algorithm D decrypts a cipher text C to a message m. We write m ← D(k; C). Usually, perfect correctness of the scheme is required, i.e., that D(k; E(k; m)) = m for all m ∈ {0, 1}poly(n) and all possible k. Security of encryption schemes. The standard security for encryption is computational indistinguishability, i.e., for any two different messages m1 , m2 with equal bit length, their corresponding cipher texts are computationally indistinguishable.
3
Our Result
In this section we propose the definition and the construction of disguisable symmetric encryption schemes. As shown in Section 1.1, the two typical goals (or motivation) of this kind of encryption schemes is to either let the attacker disguise his malicious program as a benign program, or let the attacker disguise his malicious data as ordinary data. Although we can present the definition of disguisable symmetric encryption schemes in a general sense without considering the goal it is intended to achieve, we still explicitly contain the goal in its definition to emphasis the motivation of such encryption schemes. In this section we illustrate the definition and construction with respect to the goal of disguising executable files in detail, and omit those counterparts with respect to the goal of disguising data files. Actually, the two definitions and constructions are same if we do not refer to the type of the underlying files. In Section 3.1, we present the definition of disguisable symmetric encryption schemes and the security requirements. In Section 3.2 we present a construction of disguisable symmetric encryption schemes which can satisfy the required security requirements. In Section 3.3 we provide some discussion on how to securely store and manage the keys in practice. 3.1
Disguisable Symmetric Encryption
In this subsection we present the definition of secure disguisable symmetric encryption as follows. Definition 3. A disguisable symmetric encryption scheme DSKE = (G; E; D) (for encryption of executable files) consists of three uniform PPT algorithms with the following semantics:
Disguisable Symmetric Encryption
247
1. The key generation algorithm G on input 1n , where n is the security parameter, samples a real key k and several fake keys FakeKey1 , · · · , FakeKeyr . (The fake keys are also inputs to the encryption algorithm.) 2. The encryption algorithm E on input k, an executable file File ∈ {0, 1}poly(n) to be encrypted, together with FakeKey1 , · · · , FakeKeyr , produces a cipher text C. 3. The (deterministic) decryption algorithm D on input a key and a cipher text C (promised to be the encryption of the executable file File) outputs a plain text which value relies on the key. That is, if the key is k, D’s output is File. If the key is any fake one generated previously, D’s output is also an executable file other than File. Otherwise, D outputs ⊥. We require computational correctness of the scheme. That is, for the random keys generated by G and E’s internal coins, D works as required except negligible probability. We remark that in a different viewpoint, we can view that the very key used in encryption consists of k and all FakeKeyi , and k, FakeKeyi can be named segments of this key. Thus in this viewpoint our definition essentially means that decryption operation only needs a segment of the key and behaves differently on input different segments of this key. However, since not all these segments are needed to perform correct decryption, i.e., there is no need for the users of such encryption schemes to remember all segments after performing the encryption, we still name k and all FakeKeyi keys in this paper. We only require computational correctness due to the obfuscation for MBSF functions underlying our construction which can only obtain computational approximate functionality (i.e., no PPT algorithm can output a x such that O(F (x)) = F (x) with non-negligible probability). Security of disguisable symmetric encryption schemes. We say DSKE is secure if the following conditions hold: 1. For any two different executable files File1 , File2 with equal bit length, their corresponding cipher texts are computationally indistinguishable. 2. Assuming there is a public upper bound B on r known to everyone, any adversary on input a cipher text can correctly guess the value of r with probability no more than B1 + neg(n). (This means r should be uniform and independent of the cipher text.) 3. After the user hands over to the adversary 1 ≤ r ≤ r fake key(s) and claims one of them is the real key and the remainders are fake keys (if r ≥ 2), the adversary cannot distinguish the cipher texts of File1 , File2 either. Further,the conditional probability that the adversary can correctly guess the value of r 1 is no more than B−r + neg(n) if r < B. (This means r is still uniform and independent of the cipher text on the occurrence that the adversary obtains the r fake keys.) We remark that the first requirement originates from the standard security of encryption, and that the second requirement basically says that the cipher text does not contain any information of r (beyond the public bound B), and that the
248
N. Ding, D. Gu, and Z. Liu
third requirement says the requirements 1 and 2 still hold even if the adversary obtains some fake keys. In fact the second and third requirements are proposed for the anti-forensics purpose mentioned previously. 3.2
Construction of the Encryption Schemes
In this subsection we present a construction of the desired encryption scheme. Our scheme heavily depends on the current technique of obfuscating multiplebit set-membership functions presented in [4]. The construction in [4] is modular based on the obfuscation for point functions. As shown by [4], this modularization construction is secure if the underlying obfuscation for point functions satisfies some composability. Actually, the known construction of obfuscation for point function in [3] when using the statistically indistinguishable perfectly one-way hash functions [5] satisfies such composability, which results in that the construction in [4] is a secure obfuscation with computational approximate functionality. We will not review the definitions and constructions of the obfuscation and perfectly one-way hash functions in [5][3] and several composability discussed in [4] here, and refer the readers to the original literature. We first present a naive scheme in Construction 1 which can illustrate the basic idea how to construct a multiple-bit set-membership function to realize a disguisable symmetric encryption. But the drawback of this scheme is that it cannot possess the desired security. Then we present the final scheme in Construction 2 which can achieve the requirements of secure disguisable encryption schemes. Construction 1: We construct a naive scheme DSKE = (G; E; D) as follows: 1. G: on input 1n , uniformly sample two n-bit strings independently from {0, 1}n, denoted k and FakeKey (note Pr[k = FakeKey] = 2−n ). k is the real symmetric key and FakeKey is the fake key. (r is 1 herein.) 2. E: on input k, FakeKey and an executable file File ∈ {0, 1}t, perform the following computation: (a) Choose a fixed existing different executable file in the hard disk with bit length t (if its length is less than t, pad some dummy instructions to it to satisfy this requirement), denoted FakeFile, and then compute the following program P . P ’s description: input: x 1. in the case x = k, return File; 2. in the case x = FakeKey, return FakeFile; 3. return ⊥; 4. end. (b) Generate a program Q for P . (It differs from the obfuscation in [4] in that it does not use a random permutation on two blocks of Q, i.e. lines 1-3 and lines 4-6.)
Disguisable Symmetric Encryption
249
That is, let y denote File and yi denote the ith bit of y. For each i, if yi = 1 E computes a program Ui as an obfuscation of P Fk (point function defined in Section 2.2), using the construction in [3] employing the statistically indistinguishable perfectly one-way hash functions in [5], otherwise E computes Ui as an obfuscation of P Fu where u is a uniformly random n-bit string. Generate a more program U0 as an obfuscation of P Fk . Similarly, E adopts the same method to compute t obfuscation according to each bit of FakeFile. Denote by FakeUi these t obfuscation, 1 ≤ i ≤ t. Generate a more program FakeU0 as an obfuscation of P FFakeKey . Q’s description: input: x 1. in the case U0 (x) = 1 2. for i = 1 to t let yi ← Ui (x); 3. return y. 4. in the case FakeU0 (x) = 1 5. for i = 1 to t let yi ← FakeUi (x); 6. return y; 7. return ⊥. 8. end Q is the cipher text. 3. D: on input a cipher text c and a key key, it views c as a program and executes c(key) to output what c outputs as the corresponding plain text. It can be seen that P actually computes a multiple-bit set-membership function, defined in Section 2.2, and Q ← E(k, File, FakeKey) possesses the computational approximate functionality with P . Thus, except negligible probability, for any File that an attacker wants to encrypt, we have that D(k, Q) = File, D(Fakekey, Q) = FakeFile. This shows that Definition 3 of disguisable symmetric encryption schemes is satisfied by DSKE . Now the next step is to verify if this encryption is secure with respect to the security of the disguisable symmetric encryption schemes. That is, we need to verify if the security requirements are satisfied. However, as we will point out, DSKE is actually insecure with respect to the security requirements. First, since Q is not a secure obfuscation of P , we cannot establish the indistinguishability of encryption. Second, the secrecy of r cannot be satisfied. Instead, r is fixed as 1 herein. Thus if the forensics investigator knows the attacker adopts DSKE to encrypt a malicious program and orders the attacker to hand over the two keys, the attacker may choose either to provide both k, FakeKey or to provide FakeKey (the attacker claims he only remembers one of the two keys) to the investigator. In the former case, the forensics investigator can immediately grasp the malicious program as well as another fake program. Notice that the execution traces of the two decryptions are not same, i.e. the decryption using the real key always occurs in Lines 2 and 3 of Q, while the one using the fake key occurs in Lines 5 and 6.
250
N. Ding, D. Gu, and Z. Liu
Thus the investigator can tell the real malicious program from the other one. In the latter case, the investigator can still judge if the attacker tells him the real key by checking the execution trace of Q. To achieve the security requirements, we should overcome the drawbacks of distinguishability of encryption, exposure of r and execution trace of Q, as the following shows. We improve the naive scheme by randomizing r over some interval [1, B] for a public constant B and adopt the secure obfuscation for multiple-bit setmembership functions in [4] etc. The construction of the desired encryption scheme is as follows. Construction 2: The desired encryption scheme DSKE = (G; E; D) is as follows: 1. G: on input 1n , uniformly sample r + 1 n-bit strings independently from {0, 1}n, denoted k and FakeKeyi for 1 ≤ i ≤ r. k is the real symmetric key and FakeKeyi for each i is a fake key. 2. E: on input the secret key k, FakeKey1 , · · · , FakeKeyr and an executable file File ∈ {0, 1}t, perform the following computation: (a) Choose a fixed existing executable file with bit length t in the hard disk, denoted File . Let u0 , · · · , ur denote k, FakeKey1 , · · · , FakeKeyr . Then uniformly and independently choose B−r more strings from {0, 1}n, denoted ur+1 , · · · , uB (the probability that at least two elements in {u0 , · · · , uB } are identical is only neg(n)). Construct two (B + 1)-cell tables K and F satisfying K [i] = ui for 0 ≤ i ≤ B and F [0] = File and F [i] = File for 1 ≤ i ≤ Q. (b) Generate the following program P , which has the tables K , F hardwired. input: x 1. for i = 0 to B do the following 2. if x = K [i], return F [i]; 3. return ⊥; 4. end. (c) Adopt the method presented in [4] to obfuscate P . That is, choose a random permutation π from [0, B] to itself and let K[i] = K [π(i)] and F [i] = F [π(i)] for all i’s. Then obfuscate the multiple-bit point functions M BP FK[i],F [i] for all i’s. More concretely, let yi denote F [i] and yi,j denote the jth bit of yi . For each j, if yi,j = 1 E generates a program Ui,j as an obfuscation of P FK[i] (point function), using the construction in [3] employing the statistically indistinguishable perfectly one-way hash functions in [5], otherwise E generates Ui,j as an obfuscation of P Fu where u is a uniformly random n-bit string. Generate a more program Ui,0 as an obfuscation of P FK[i] . Generate the following program Q, which is an obfuscation of P : input: x
Disguisable Symmetric Encryption
251
1. for i = 0 to B do the following 2. if Ui,0 (x) = 1 3. for j = 1 to t, let yi,j ← Ui,j (x); 4. return yi,j ; 5. return ⊥; 6. end. Q is the cipher text. 3. D: on input a cipher text c and a key key, it views c as a program and executes c(key) to output what c outputs as the corresponding plain text. Since it is not hard to see that DSKE satisfies Definition 3, we now turn to show that DSKE can achieve the desired security requirements, as the following claims state. Claim 2. DSKE satisfies the computational indistinguishability of encryption. Proof. This claim follows from the result in [4] which ensures that Q is indeed an obfuscation of P . To prove this claim we need to show that for arbitrary two files f1 and f2 with equal bit length, letting Q1 and Q2 denote their cipher texts respectively generated by DSKE, Q1 and Q2 are indistinguishable. Formally, we need to show that for any PPT distinguisher A and any polynomial 1 . p, | Pr[A(Q1 ) = 1] − Pr[A(Q2 ) = 1]| ≤ p(n) Let P1 (resp. P2 ) denote the intermediate program generated by the encryption algorithm in encrypting f1 (resp. f2 ) in step (b). Since Q1 (resp. Q2 ) is an obfuscation of P1 (resp. P2 ), by Definition 1 we have that for the polynomial 3p there exists a simulator S satisfying | Pr[A(Qi ) = 1] − Pr[A(S Pi (1|Pi | ) = 1]| ≤ 1 3p(n) for i = 1, 2. As | Pr[A(Q1 ) = 1] − Pr[A(Q2 ) = 1]| ≤ | Pr[A(Q1 ) = 1] − Pr[A(S P1 (1|P1 | )) = 1]| + | Pr[A(Q2 ) = 1] − Pr[A(S P2 (1|P2 | )) = 1]| + | Pr[A(S P1 (1|P1 | )) = 1] − 1 Pr[A(S P2 (1|P2 | )) = 1]|, to show | Pr[A(Q1 ) = 1] − Pr[A(Q2 ) = 1]| ≤ p(n) , it
suffices to show | Pr[A(S P1 (1|P1 | )) = 1] − Pr[A(S P2 (1|P2 | )) = 1]| = neg(n). Let bad1 (resp. bad2 ) denote the event that in the computation of A(S P1 (1|P1 | )) (resp. A(S P2 (1|P2 | ))), S queries the oracle with an arbitrary one of the B + 1 keys stored in table K. It can be seen that on the occurrence of ¬badi , the oracle Pi always responds ⊥ to S in the respective computation for i = 1, 2. This results in that Pr[A(S P1 ) = 1|¬bad1 ] = Pr[A(S P2 ) = 1|¬bad2 ]. Further, since the r + 1 keys in each computation are chosen uniformly, the probability that at least one poly(n) of S’s queries to its oracle equals one of the keys is O( 2n ), which is a negligible quantity, since S at most proposes polynomial queries. This means Pr[badi ] = neg(n) for i = 1, 2. Pi Since Pr[¬badi ] = 1 − neg(n), Pr[A(S Pi ) = 1|¬badi ] = Pr[A(S )=1,¬badi ] = Pr[¬badi ] Pr[A(S Pi ) = 1]+neg(n) or Pr[A(S Pi ) = 1]−neg(n). Thus we have | Pr[A(S P1 ) = 1] − Pr[A(S P2 ) = 1]| = neg(n). So this claim follows as previously stated.
252
N. Ding, D. Gu, and Z. Liu
Now we need to show that any adversary on input a cipher text can hardly obtain some information of r (beyond the public bound B). Claim 3. For any PPT adversary A, A on input a cipher text Q can correctly guess r with probability no more than B1 + neg(n). Proof. Since A’s goal is to guess r (which was determined at the moment of generating Q), we can w.l.o.g. assume A’s output is in [1, B] ∪ {⊥}, where ⊥ denotes the case that A outputs a value which is outside [1, B] and thus viewed meaningless. Then, we construct B PPT algorithms A1 , · · · , AB with the following descriptions: Ai on input Q executes A(Q) and finally outputs 1 if A outputs i and outputs 0 otherwise, 1 ≤ i ≤ B. It can be seen each Ai can be viewed as a distinguisher and thus for any polynomial p there is a simulator Si for 1 . Namely, Ai satisfying that | Pr[Ai (Q) = 1] − Pr[Ai (SiP (1|P | )) = 1]| ≤ p(n) | Pr[A(Q) = i] − Pr[A(SiP (1|P | )) = i]| ≤ Pr[A(SrP (1|P | ))
1 p(n) 1 p(n) .
for each i. Thus for random r,
| Pr[A(Q) = r] − = r]| ≤ Let goodi denote the event that Si does not query its oracle with any one of the r + 1 keys for each i. On the occurrence of goodi , the oracle P always responds ⊥ to Si and thus the computation of A(SiP ) is independent of the r + 1 keys hidden in P . For the same reasons stated in the previous proof, Pr[A(SiP ) = r|goodi ] = B1 and Pr[goodi ] = 1 − neg(n). Thus it can be concluded Pr[A(SiP ) = r] ≤ B1 + neg(n) for all i’s. Thus for random r, Pr[A(SrP ) = r] ≤ B1 + neg(n). Hence combining this with the result in the previous paragraph, we have for any 1 . Thus Pr[A(Q) = r] ≤ B1 + neg(n). p Pr[A(Q) = r] ≤ B1 + neg(n) + p(n) When the attacker is catched by the forensics investigator, and ordered to hand over the real key and all fake keys, he is supposed to provide r fake keys and tries to convince the investigator that what he encrypted is an ordinary executable file. After obtaining these r keys, the forensics investigator can verify if these keys are valid. Since Q outputs ⊥ on input any other strings, we can assume that the attacker always hands over the valid fake keys, or else the investigator will no end the inquest until the r keys the attacker provides are valid. Then we turn to show that the cipher texts of two plain texts with equal bit length are still indistinguishable. Claim 4. DSKE satisfies the computational indistinguishability of encryption, even if the adversary obtains 1 ≤ r ≤ r valid fake keys. Proof. Assume an arbitrary A obtains a cipher text Q (Q1 or Q2 ) and r fake keys. Since on input the r fake keys as well as their decryptions and the subprogram in Q which consists of the obfuscated multi-bit point functions corresponding to those unexposed keys, denoted Q (Q1 or Q2 ), A can generate a cipher text which is identically distributed to Q, it suffices to show that for any outcome of the r fake keys as well as their decryptions, A , which is A with them hardwired, cannot tell Q1 from Q2 . Notice that Q is also an obfuscated multi-bit
Disguisable Symmetric Encryption
253
set-membership function. Then adopting the analogous method in the proof of 1 Claim 2, we have for any polynomial p, | Pr[A (Q1 ) = 1]−Pr[A (Q2 ) = 1]| ≤ p(n) . Details omitted.
Lastly, we need to show that after the adversary obtains 1 ≤ r ≤ r valid fake 1 keys where r < B, it can correctly guess r with probability nearly B−r , as the following claim states. Claim 5. For any PPT adversary A, A on input a cipher text Q can correctly 1 guess r with probability no more than B−r + neg(n) on the occurrence that the adversary obtains 1 ≤ r ≤ r valid fake keys for r < B. Proof. The proof is almost the same as the one of Claim 3. Notice that there are B − r possible values left for r and for any outcome of the r fake keys and their decryptions, A with them hardwired can be also viewed as an adversary, and Q (referred to the previous proof) is an obfuscated multi-bit set-membership function. The remainder proof is analogous.
Thus, we have shown that DSKE satisfies all the required security requirements of disguisable symmetric encryption. Since for an encryption scheme all security is lost if the key is lost, to put it into practice we need to discuss the issue of securely storing and management of these keys, which will be shown in the next subsection. 3.3
Management of the Keys
Since all the keys are generated at random, these keys cannot be remembered by human’s mind. Actually, by the requirement of the underlying obfuscation method presented in [4], the min-entropy of a key should be at least superlogarithmic and the available construction in [5] requires the min-entropy should be at least nε . By the algorithm of key generation in our scheme, this requirement can be satisfied. If an attacker has the strong ability to remember the random keys with nε min-entropy, he can view these keys as the rememberable passwords and keeps all keys in his mind. Thus there is no need for him to store the keys (passwords) and manage them. But actually, we think that it is still hard for human’s mind to remember several random strings with such min-entropy. On the other hand, keys or passwords generated by human’s mind are of course not random enough and thus cannot ensure the security of the encryption schemes. The above discussion shows that a secure management of keys should be introduced for attackers. The first attempt towards this goal is to store each key into a file and the attacker remembers the names of these files. When he needs to use the real key, he retrieves it from some file and then executes the encryption or decryption. When the encryption or decryption operation finishes, he should wipe all the information in the hard disk which records the read/write operation of this file. However, this attempt cannot eliminate the risk that the forensics investigator can scan the hard disk to gather all these files and obtain all keys.
254
N. Ding, D. Gu, and Z. Liu
Another solution is to use the obfuscation for multiple-bit set-membership functions one more time, as the construction 2 illustrates. That is, the attacker can arbitrarily choose r human-made passwords which can be easily remembered by himself. Let each password correspond to a key (the real one or a fake one). Then he constructs a program PWD which on each password outputs the corresponding key. It can be seen that the program PWD also computes a multiple-bit set-membership function, similar to the program P in Construction 2. Then obfuscate PWD using the similar way. However, it should be emphasized that to achieve the theoretical security guarantee by this obfuscation the passwords should be random with min-entropy nε . In general the human-made rememberable ones cannot satisfy this requirement, or else we could directly replace the keys in Construction 2 by these passwords. So this solution only has a heuristic security guarantee that no forensics investigator can reverse-engineering nor understand PWD even if he obtains all its code. The third solution is to let the attacker store the keys into a hardware device. However, we think putting all keys in a device is quite insecure since if the attacker is catched and ordered to hand over keys, he has to hand over this device and thus all the keys may expose to the investigator. Actually, we think that it is the two assumptions that result in that we cannot provide a solution with a theoretical security guarantee. The two assumptions are that the human’s mind cannot remember random strings with min-entropy nε and that the forensics investigator can always gather any file he desires from the attacker’s machine or related devices. Thus to find a scheme for secure management of keys with a theoretical guarantee, we maybe need to relax at least one of the assumptions. We suggest a solution by adopting such relaxation. Our relaxation is that we assume that the attacker has the ability to store at least a random string with such min-entropy in a secure way. For instance, this secure way may be to divide the string into several segments and store the different segments in his mind, the secret place in the hard disk and other auxiliary secure devices respectively. Under this assumption, the attacker can store the real key in this secure way and store some fake keys in different secret places in the hard disk using one or many solutions presented above or combining different solutions in storing these fake keys.
4
Conclusions
We now summarize our result as follows. To apply the disguisable symmetric encryption scheme, an attacker needs to perform the following ordered operations. First, he runs the key generation algorithm to obtain a real key and several fake keys according to Construction 2. Second, he adopts a secure way to store the real key as well as storing some fake keys in his hard disk. Third, erase all possible information generated in the first and second steps. Fourth, prepare a benign executable file which is of the same length with the malicious program
Disguisable Symmetric Encryption
255
(resp. the data file) he wants to encrypt. Fifth, the attacker can encrypt the malicious program (resp. the data file) if needed. By Construction 2, the encryption is secure, i.e. indistinguishable. If the attacker is catched by the forensics investigator and ordered to hand over keys to decrypt the cipher text of the malicious program (resp. the data file), he provides several fake keys to the investigator and claims that one of them is the real key and others are fake. Since all decryption are valid and the investigator has no idea of the number of the keys, the investigator cannot distinguish if the attacker lies to him.
References 1. Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S.P., Yang, K.: On the (Im)possibility of obfuscating programs. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 1–18. Springer, Heidelberg (2001) 2. Berghel, H.: Hiding Data, Forensics, and Anti-forensics. Commun. ACM 50(4), 15–20 (2007) 3. Canetti, R.: Towards realizing random oracles: Hash functions that hide all partial information. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 455–469. Springer, Heidelberg (1997) 4. Canetti, R., Dakdouk, R.R.: Obfuscating point functions with multibit output. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 489–508. Springer, Heidelberg (2008) 5. Canetti, R., Micciancio, D., Reingold, O.: Perfectly One-way Probabilistic Hash Functions. In: The 30th ACM Symposium on Theory of Computing, pp. 131–140. ACM, New York (1998) 6. Garfinkel, S.: Anti-forensics: Techniques, Detection and Countermeasures. In: The 2nd International Conference on i-Warfare and Security (ICIW), ACI, pp. 8–9 (2007) 7. Cabrera, J.B.D., Lewis, L., Mehara, R.: Detection and Classification of Intrusion and Faults Using Sequences of System Calls. ACM SIGMOD Record 30, 25–34 (2001) 8. Mohay, G.M., Anderson, A., Collie, B., McKemmish, R.D., de Vel, O.: Computer and Intrusion Forensics. Artech House, Inc., Norwood (2003) 9. Wee, H.: On Obfuscating Point Functions. In: The 37th ACM Symposium on Theory of Computing, pp. 523–532. ACM, New York (2005)
Digital Signatures for e-Government – A Long-Term Security Architecture Przemysław Bła´skiewicz, Przemysław Kubiak, and Mirosław Kutyłowski Institute of Mathematics and Computer Science, Wrocław University of Technology {przemyslaw.blaskiewicz,przemyslaw.kubiak,miroslaw.kutylowski}@ pwr.wroc.pl
Abstract. The framework of digital signature based on qualified certificates and X.509 architecture is known to have many security risks. Moreover, the fraud prevention mechanism is fragile and does not provide strong guarantees that might be regarded necessary for flow of legal documents. Recently, mediated signatures have been proposed as a mechanism to effectively disable signature cards. In this paper we propose further mechanisms that can be applied on top of mediated RSA, so that we obtain signatures compatible with the standard format, but providing security guarantees even in the case when RSA becomes broken or the keys are compromised. Our solution is well suited for deploying a large-scale, long-term digital signature system for signing legal documents. Moreover, the solution is immune to kleptographic attacks as only deterministic algorithms are used on user’s side. Keywords: mRSA, PSS padding, signatures based on hash functions, kleptography, deterministic signatures, pairing based signatures.
1 Introduction Digital signature seems to be the key technology for securing electronic documents against unauthorized modifications and forgery. However, digital signatures require a broader framework, where cryptographic security of a signature scheme is only one of the components contributing to the security of the system. Equally important are answers to the following questions: – how to make sure that a given public key corresponds to an alleged signer? – how to make sure that the private signing keys cannot be used by anybody else but its owner? While there is a lot of research on the first question (with many proposals such as alternative PKI systems, identity based signatures, certificateless signatures), the second question is relatively neglected, despite that we have no really good answers for the following specific questions:
The paper is partially supported by Polish Ministry of Science and Higher Education, grant N N206 2701 33, and by “MISTRZ” programme of Foundation for Polish Science.
X. Lai et al. (Eds.): E-Forensics 2010, LNICST 56, pp. 256–270, 2011. c Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2011
Digital Signatures for e-Government
257
1. how to make sure that a key generated outside a secure signature-creation device is not retained and occasionally used by the service provider? 2. how to make sure that an unauthorized person has not used a secure signaturecreation device after guessing the PIN? 3. if a secure signature-creation device has no keypad, how to know that the signatures under arbitrary documents are created by the PC in cooperation with the signature creation device? 4. how to make sure that there are no trapdoors or just security gaps in secure signaturecreation devices used? 5. how to make sure that a secure signature-creation device is immune to any kind of physical and side-channel attacks? In particular, how to make sure that a card does not generate faulty signatures giving room for fault cryptanalysis? 6. how to check the origin of a given signature-creation device, so that malicious replacement is impossible? Many of these problems are particularly hard, if signature creation devices are cryptographic smart cards. Some surrogate solutions have been proposed: ad 1) Retention of any such data has been declared as a criminal act. However, it is hard to trace any activity of this kind, if it is carefully hidden. Technical solutions, such as distributed key generation procedures have been proposed, so that a card must participate in key generation and the service provider does not learn the whole private key. However, in large scale applications these methods are not very attractive due to logistics problems (generation of keys at the moment of handing the card to its owner takes time and requires few manual operations). ad 2) Three failures to provide a PIN usually lead to blocking the card. However, the attacker may return the card after two trials into the wallet of the owner and wait for another chance. This is particularly dangerous for office applications. ad 3) This problem might be solved with new technologies for inputing data directly to a smart card. Alternatively, one may try to improve security of operating systems and processor architecture, but it seems to be extremely difficult, if possible at all. ad 4) So far, a common practice is to depend on declarations of the producers (!) or examinations by specially designated bodies. In the latter case, the signer is fully dependant on honesty of the examiner and completeness of the verification procedure. So far, the possibilities of thorough security analysis of chips and trapdoor detection are more a myth than technical reality. What the examiner can do is to check if there are some security threats that follow from violating a closed set of rules. ad 5) Securing a smart card against physical attacks is a never ending game between attacking possibilities and protection mechanisms. Evaluating the state of the art of attacking possibilities as well as effectiveness of hardware protection requires insider knowledge, where at least part of it is an industrial secret. So it is hard to say whether declarations of the manufacturers are dependable or, may be, they are based on their business goals. ad 6) The main protection mechanism remains the protection of a supply chain and visual protection mechanisms on the surface of the card (such as holograms). This is effective, but not against powerful adversaries.
258
P. Bła´skiewicz, P. Kubiak, and M. Kutyłowski
Kleptographic Channels. In the context of securing signature creation devices we especially focus on kleptographic attacks [1,2]. Kleptography is a set of cryptographic techniques that allow implementation of a kleptographic side channel within the framework of a randomized cryptographic protocol. Such channel is visible and usable only for its creator. Information transmitted in the channel is protected by a “public” key (i.e. asymmetric key used solely for encryption), information retrieval is possible with a matching “private” key. Let us assume that a manufacturer has planted a kleptographic channel in a batch of devices he produced. Then physical inspection of the tampered devices and extracting the “public” key do not give access to information hidden in the kleptographic channel of this or any other device. There are techniques of setting a kleptographic channel in nondeterministic crypto protocols in such a way that the protocol runs according to the specification, the statistical properties of its output are not altered, and, on top of that, the time characteristics remain within acceptable interval [3]. In the case of a nondeterministic signature, the information can be hidden in the signature itself. For deterministic protocols (like RSA for example) the nondeterministic part is the key generation, so the information may be hidden there (for details see e.g. [4], [5]). Mediated Signatures as Secure Signing Environment. The idea of mediated signatures is that signature creation requires not only using a private signing key, but also an additional key (or keys) held by a security mediator or mediators (SEM). Particularly straightforward is constructing mediated signatures on top of RSA. The idea is to split the original private key and give its parts to the signer and the mediator. It can be done in an additive way ([6,7,8]), or a multiplicative way ([7,9]). We focus on the former variant, because it broadens the set of ready-to-use algorithms for distributed generation of RSA keys and facilitates the procedure described in Sect. 4. Specifically, if d is the original private key, then the mediator gets d − du and the signer gets du , where du is (pseudo)random generated and distributed according to private keys regime. The idea presented in [8] is to use mediated signatures as a fundamental security mechanism for digital signatures. The mediator is located at a central server which keeps a black list of stolen/lost signature cards and refuses to finalize requests from such cards. Therefore, a withheld card cannot create a signature, even if there is no mechanism to block the card itself. It also allows for temporary disabling a card, for instance outside the office hours of the signer or just on request of the owner. Note that the mediator can also monitor activity of the card for accordance with its security policy (e.g. a limited number of signatures per day). Moreover, in this scenario recording of the time of the signature can be provided by the mediator which is not possible in the traditional mode of using signature cards. 1.1 Our Contribution We propose a couple of additional security mechanisms that are backwards compatible: standard software can verify such signatures in the old way. We address the following issues: – protection against kleptographic attacks on RSA signatures exploiting padding bits [5],
Digital Signatures for e-Government
259
– combining RSA signature with a signature based on discrete logarithm problem, so that in case of breaking RSA a forged signature can be recognized, – a method of generating signatures between the signer and the mediator, so that a powerful adversary cannot create signatures even if he knows the keys. This paper is not on new signature schemes but rather on system architecture that should prevent or detect any misuse of cryptographic mechanisms.
2 Building Blocks 2.1 RSA Signatures and Message Encoding Functions An RSA signature is a result of three functions: a hash function h applied to the message m to be signed, a coding function C converting the hash value to a number modulo RSA number N , and finally an exponentiation modulo N : (C(h(m)))d mod N. The coding function must be chosen with care (see attacks [10], [11]). In this paper we use EMSA-PSS coding [12]. A part of the coding, important in tightening security reduction (cf. [13]), is encoding a random salt string together with the hash value. Normally, this may lead to many problems due to kleptographic attacks, but we shall use the salt as place for embedding another signature. Embedding a signature does not violate the coding – according to Sect. 8.1 of [12]: as salt even “a fixed value or a sequence number could be employed (. . . ), with the resulting provable security similar to that of FDH” (Full Domain Hashing). Another issue, crucial for the embedded signature, is the length of salt. In Appendix A.2.3 of [12] a type RSASSA-PSS-params is described to include, among others, a field saltLenght (i.e. octet length of the salt). [12] specifies the default value of the field to be the octet length of the output of the function indicated in the hashAlgorithm field. However, saltLength may be different: let modBits denote bitlength of N , and hLen denotes the length in octets of the hash function output, then the following condition (see Sect. 9.1.1 of [12]) imposes an upper bound for salt length: (modBits − 1)/8 − 2 ≥ saltLength + hLen. 2.2 Deterministic Signatures Based on Discrete Logarithm Most discrete logarithm based signatures are probabilistic ones. The problem with these solutions is that there are many kleptographic schemes taking advantage of the pseudorandom parameters for signature generation, that may be potentially used to leak keys from a signature creation device. On the other hand, DL based signatures are based on different algebraic structures than RSA and might help in the case when security of RSA becomes endangered.
260
P. Bła´skiewicz, P. Kubiak, and M. Kutyłowski
Fortunetely, there are deterministic signatures based on DL Problem, see for instance the BLS [14] or [15]. In this paper we use BLS: Suppose that G1 , G2 are cyclic additive groups of prime order q, and let P be a generator of G1 . Assume that there is an efficiently computable isomorphism ψ : G1 → G2 , thus ψ(P ) is a generator of G2 . Let GT be a multiplicative group of prime order q, and eˆ : G1 × G2 → GT be a non-degenerate bilinear map, that is: 1. for all P ∈ G1 , Q ∈ G2 and a, b ∈ Z, eˆ([a]P, [b]Q) = eˆ(P, Q)ab , where [k]P denotes scalar k multiplication of element P , 2. eˆ(P, ψ(P )) = 1. For simplicity one may assume G2 = G1 , and ψ ≡ id. In the BLS scheme G1 is a subgroup of points of an elliptic curve E defined over some finite field Fpr , and GT is a subgroup of the multiplicative group F∗prκ , where κ is a relatively small integer, say κ ∈ {12, . . . , 40}. The number κ is usually called the embedding degree. Note that q|#E, but for security reasons we require that q 2 |#E. The signature algorithm comprises of calculation of the first point H(m) ∈ P corresponding to a message m, and computing [xu ]H(m), i.e. multiplication of elliptic curve point H(m) by scalar xu being the private key of the user making the signature. The signature is the x-coordinate of the point [xu ]H(m). Verification of the signature (see Sect. 3) takes place in the group F∗prκ , and it is more costly than signature generation. 2.3 Signatures Based on Hash Functions Apart from RSA and discrete logarithm based signatures there is a third family: signatures based on hash functions. Their main advantage is fast verification, their main disadvantage is limitation on the number of signatures one can create – basic schemes of this kind are usually one-time signatures. This drawback can be alleviated by employing Merkle trees, and the resulting schemes (Merkle Signature Scheme – MSS) offer multipe-time signatures. In this case however, the maximal number of signatures is determined at the time of key generation. This in turn causes complexity issues, since building a large, single Merkle tree is calculation demanding. In [16], the GMSS algorithm loosens this limitation: even 280 signatures might be verified with the root of the main tree. 2.4 Overview of System Architecture The system is based on security mediator SEM, as in [17]. However, we propose to split SEM into t sub-centers sub-SEMi , i = 1, . . . , t, t ≥ 2 (such decomposition would alleviate the problems of information leakage from a SEM). System components on the signer’s side are: a PC and a smart card used as a secure signature creation device. When the signer wishes to compose a signature, then the smart card performes some operations in interaction with the SEMs. The final output of the SEMs is a high quality signature – its safety is based on many security mechanisms that on the whole address the problems and scenarios mentioned in the introduction.
Digital Signatures for e-Government
261
3 Nested Signatures Since long-term predictions about scheme’s security are given with large amount of uncertainty, it seems reasonable to strengthen the RSA with another deterministic signature scheme — the BLS [14]. We combine them together using RSASSA-PSS, with the RSA signature layer being the mediated one, while BLS is composed solely by the smart card of the signer. Thanks to the way the message is coded the resulting signature can be input to a standard RSA verification software which will still verify the RSA layer in the regular way. However, software aware of the nesting can perform a thorough verification and check both signatures.
Fig. 1. Data flow for key generation. Operations in rounded rectangles are performed distributively.
262
P. Bła´skiewicz, P. Kubiak, and M. Kutyłowski
Key Generation. We propose that the modulus N and the secret exponent d of RSA should be generated outside the card in a multiparty protocol (accordingly, we divide the security mediator SEM into t sub-SEMs, t ≥ 2). This prevents any trapdoor or kleptography possibilities on the side of the smart card, and makes it possible to use high quality randomness. Last not least, it may speed up logistics issues (generation of RSA keys is relatively slow and the time delay may be annoying for an average user). Multiparty generation of RSA keys has been described in the literature: [18] – for at least 3 participants (for real implementation issues see [19], for a robust version see [20]), [21] – for two participants, or a different approach in [22]. Let us describe the steps of generating the RSA and BLS keys in some more detail (see also Fig. 1): Suppose that the card holds some single, initial, unique priate key sk (set by the card’s producer) for deterministic one-time signature scheme. Let the public part pk of the key be given to SEM before the following protocol is executed. Assume also that the card’s manufacturer has placed into the card SEM’s public key for verification of SEM’s signatures. 1. sub-SEM1 selects an elliptic curve defined over some finite field (the choice determines also a bilinear mapping eˆ) and a basepoint P of prime order q. Then sub-SEM1 transmits this data together with definition of eˆ to the other sub-SEM’s for verification. 2. If the verification succeeded, each sub-SEMi picks xi ∈ {0, . . . , q − 1} at random and broadcasts the point [x i ]P to other sub-SEMs. t t 3. Each sub-SEM calculates i=1 [xi ]P , i.e. calculates [ i=1 xi ]P . 4. The sub-SEMs generate the RSA-keys using a multiparty let the resulting protocol: t public part be (e, N ) and the secret exponent be d = i=1 d˜i , where d˜i ∈ Z is known only to sub-SEMi . 5. All sub-SEMs now distributively sign all public data D generated so far, i.e.: the public one time key pk (which serves as identifier of the addressee of data D), the definition of the field, curve E, points P , [xi ]P , i = 1, . . . , t, order q of P , map eˆ and RSA public key (e, N ). The signature might also be a nested signature, even with the inner signature being a probabilistic one, e.g. ECDSA (to mitigate the threat of klepto channel each sub-SEM might xor outputs from a few random number generators). 6. Let is a fixed element from the set {128, . . . , 160} (see e.g. the range of additive sharing over Z in Sect. 3.2 of [22], and Δ in S-RSA-DEL delegation protocol in Fig. 2 of [23]). Each sub-SEMi , i = 1, . . . , t picks di,u ∈ {0, . . . , 2log2 N +1+ − 1} at random and calculates integer di,SEM = d˜i − di,u . Note that di,u can be calculated independently of N (e.g. before N ), only the length of N must be known. 7. The card contacts sub-SEM1 over a secure channel and receives the signed data D. If verification of the signature succeeds the card picks its random element x0 ∈ {0, . . . , q − 1}, and calculates [x0 ]P . 8. For each i ∈ {1, . . . , t} the card contacts sub-SEMi over a secure channel and sends it [x0 ]P and sigsk ([x0 ]P ). The sub-SEMi verifies the signature and only then does it respond with xi and di,u and a signature thereof (a certificate for the sub-SEMi signature key is distributiely signed by all sub-SEMs, and is transferred
Digital Signatures for e-Government
263
to the card together with the signature). The card immediately checks xi against P , [xi ]P from D. 9. At this point all sub-SEMs compare the received element [x0 ]P ∈ E (i.e. they check if the sk was really used only once). If this is so, then the value is taken as ID-card’s part of the BLS public key. the sub-SEMs complete calculation of Then t the key: E, P ∈ E, Y = [x0 ]P + [ i=1 xi ]P , and issue an X.509 certificate for the card that it possesses the RSA key (e, N ). In some extension field the certificate must also contain card’s BLS public key for the inner signature. The certificate is signed distributively. Sub-SEMt now transfer the certificate t to the ID-card. 10. The card calculates its BLS private key as xu = i=0 xi mod q and its part t of RSA private key as integer du = i=1 di,u . Note that the remaining part t dSEM = d of the secret key d is distributed among sub-SEMs, who i,SEM i=1 will participate in every signing procedure initiated by the user. Neither he nor the sub-SEMs can generate valid signatures on their own. 11. The card compares the certificate received from the last sub-SEM with D received from the first sub-SEM. As the last check the card initializes the signature generation protocol (see below) to sign the certificate. If the finalized signature is valid the card assumes that du is valid as well, and removes all partial di,u and partial xi together with their signatures. Otherwise the card discloses all data received, together with their signatures. Each user should receive a different set of keys, i.e. different modulus N for RSA system and a unique (non-isomorphic with the ones so far generated) elliptic curve for the BLS signature. This can minimize damages that could result by breaking both systems using adequately large resources. Signature Generation 1. The user’s PC computes the hash value h(m) of the message m to be signed, and sends it to the smartcard. 2. the smartcard signs h(m) using BLS scheme: the first point H(h(m)) of the group P , corresponding to h(m), is calculated deterministically, according to the procedure from [14] (alternatively, the algorithm from [24] might be used, complemented by multiplication by scalar #E/q to get a point in the subgroup of order q), next H(h(m)) is multiplied by the scalar xu , which yields point [xu ]H(h(m)). The BLS signature of h(m) is the x-coordinate x([xu ]H(h(m))) of the point [xu ]H(h(m)). The resulting signature is unpredictable to both the card’s owner as well as other third parties. We call this signature the salt. 3. Both h(m) and salt can now be used by the card as variables in execution of RSASSA-PSS scheme: they just need to be composed according to EMSA-PSS [12] and the result μ can now be simply RSA-exponentiated. 4. In the process of signature generation, the user’s card calculates the du ’th power of the result μ of EMSA-PSS padding and sends it, along with the message digest h(m) and the padding result itself, to the SEM. That is, it sends the triple (h(m), su , μ), where su = μdu mod N . t 5. The sub-SEMs finalize the RSA exponentiation: s = su · i=1 μdi,SEM mod N , thus finishing the procedure of RSA signature generation.
264
P. Bła´skiewicz, P. Kubiak, and M. Kutyłowski
6. At this point a full verification is possible: SEM verifies the RSA signature, checks the EMSA-PSS coding – this includes salt recovering and verification of the inner signature (it also results in checking if the card had chosen the first possible point on the curve while encoding h(m)). If the checks succeed, the finalized signature is sent back to the user. A failure means that the card has malfunctioned or behaved maliciously – as we see, the system-internal verification is of vital importance. Note that during the signature generation procedure the smartcard and sub-SEMs cannot use CRT, as in this case the factorization of N would be known to all parties. This increases signing time, especially on the side of the card. But, theoretically, this can be seen as an advantage. For example, the signing time longer than 10 sec. means that one cannot generate more than 225 signatures over the period of 10 years; we therefore obtain an upper limit on power of the adversary in results of [25] and [13]. In fact the SEM might arbitrarily set a lower bound for the period of time it must pass between two consecutive finalizations of signatures of the same user. Moreover, if CRT is not in use, then some category of fault attacks is eliminated ([26,27]). Signature Verification. For given m and its alleged signature s: 1. The verifier calculates h(m) and the point H(h(m)) ∈ P . 2. Given the RSA public key (e, N ) the verifier first calculates μ = se mod N , and checks the EMSA-PSS coding against h(m) (this includes salt recovery). 3. If the coding is valid then, given BLS public key E, P , Y , q, and eˆ, the verifier checks the inner signature. From salt = x([xu ]H(h(m))) one of the two points ±[xu ]H(h(m)) is calculated, denote this point by Q. Next, it is checked whether the order of Q equals q. If it does, then the verifier checks if one of the conditions holds: eˆ(Q, P ) = eˆ(H(h(m)), Y ) or eˆ(Q, P ) = (ˆ e(H(h(m)), Y ))−1 .
4 Floating Exponents Let us stress the fact that splitting the secret exponent d from the RSA algorithm between the user and the SEM has additional benefits. If the RSA and inner signature [14] keys are broken, it is still possible to verify if a given signature was mediated by the SEM or not, provided that the later keeps a record of operations it performed. Should this verification fail, it becomes obvious that both keys have been broken and, in particular, the adversary was able to extract the secret exponent d. On the other hand, if the adversary wants to trick the SEM by offering it a valid partial RSASSA-PSS signature with a valid inner signature [14], he must know the right part du of the exponent d of the user whose keys he had broken. Doing this equals solving a discrete logarithm problem taken modulus each factor of N (though the factors length equals half of that of N ). Therefore it is vital that no constraints, in particular on length, be placed on exponents d and their parts. To mitigate the problem of smaller length of the factors of N , which allows solving the discrete logarithm problem with relatively small effort, a technique of switching exponent parts can be used. Let the SEM and the card share the same secret key K, which is unique for each card. After a signature is generated, the key deterministically
Digital Signatures for e-Government
265
evolves on both sides. For each new signature, K is used as an initialization vector for a secure pseudo-random number generator (PRNG) to obtain a value that is added by the card to the part of the exponent it stores, and subtracted by the SEM from the part stored therein. This way, for each signature different exponents are used, but they still sum up to the same value. A one-time success at finding the discrete logarithm brings no advantage to the attacker as long as PRNG is strong and K remains secret. To state the problem more formally, let Ki be a unique key shared by the card and sub-SEMi , i = 1, . . . , t (t ≥ 1). To generate an RSA signature the card does the exponentiation of the result of EMSA-PSS coding to the exponent equal to du ±
t
(−1)i · GEN (Ki ),
(1)
i=1
where GEN (Ki ) is an integer output of a cryptographically safe PRNG (see e.g. generators in [28], excluding the Dual_EC_DRBG generator – for the reason see [29]). It suffices if length of GEN (Ki ) equals +
log2 N + 1, where is a fixed element from the set {128, . . . , 160}. Operator “±” in Eq. (1) means that the exponent is alternately “increased” and “decreased” every second signature: this and multiplier (−1)i lessen changes of length of the exponent. Next, for each Ki the card performs a deterministic key evolution (sufficiently many steps of key evolution seem to be feasible on nowadays smart cards, cf. [30] claiming on p. 4, Sect. “E2 PROM Technology”, even 5 · 105 write/erase cycles). To calculate its part of the signature, each sub-SEMi exponentiates the result μ of EMSA-PSS coding (as received from the user along with the partial result of exponentiation) to the power of di,SEM ∓(−1)i ·GEN (Ki ). Next, the sub-SEMi performs a deterministic evolution of the key Ki . Note that should the card be cloned it will be revealed after the first generation of a signature by the clone – the SEM will make one key-evolution step further than the original card and the keys will not match. Each sub-SEMi shall keep apart from its current state, the initial value of Ki to facilitate the process of investigation in case the keys get de-synchronized. To guarantee that the initial Ki will not be changed by sub-SEMi , the following procedure might be applied: At point 2 of key generation procedure each sub-SEM commits to the initial Ki by broadcasting its hash h(Ki ) to other sub-SEMs. Next, at point 5 all broadcasted hashes are included in data set D, and are distributively signed by sub-SEMs with all the public data. Note that these hashes are sent to the card at point 7, and at points 7, 8 the card can check Ki against its commitment h(Ki ), i = 1, . . . , t. In order to force the adversary into tricking the SEM (i.e. make it even harder for him to generate a valid signature without participation of the SEM), one of the subSEMs may be required to place a timestamp under the documents (the timestamp would contain this sub-SEM’s signature under the document and under the user’s signature finalized by all the sub-SEMs) and only timestamped documents can be assumed valid. Such outer signature in the timestamp must be applied both to the document and to the finalized signature of the user. The best solution for it seems to be to use a scheme based on a completely different problem, to use a hash function signature scheme for instance. The Merkle tree traversal algorithm provides additional features with respect to timestamping: if a given sub-SEM faithfully follows the algorithm for any two document
266
P. Bła´skiewicz, P. Kubiak, and M. Kutyłowski
signatures it is possible to reconstruct (based on the signature only, without an additional timestamp) the succession in which the documents have been signed. Note that other sub-SEMs will verify the outer hash-based signature as well as the tree traversal order. If hash-based signatures are implemented in SEM, it is important to separate the source of randomness from implementation of the signatures (i.e. from key generation — apart from key generation this signature scheme is purely deterministic). Instead of one, at least two independent sources of randomness should be utilized and their outputs combined.
5 Forensic Analysis As an example of forensic analysis consider the case of malicious behavior of one of the sub-SEMs. Suppose that the procedure of distributed RSA key generation bounds each sub-SEMi to its secret exponent d˜i (see point 4 of the ID-card’s key generation procedure), for example by some checking signature made at the end of the internal procedure of generating the RSA key. As we could see, the sub-SEMi cannot claim that the initial value of Ki was different than the one passed to the card. If correct elements di,SEM , Ki , i = 1, . . . , t, were used in RSA signature generation at point 11 of the key generation procedure, and correct di,u were passed to the ID-card, then the signature is valid. The sub-SEMs should then save all values βi = μαi mod N generated by sub-SEMi , i = 1, . . . , t, to finalize the first cards partial signature su : s = su
t
μαi mod N.
i=1
Since αi = di,SEM − (−1)i · GEN (Ki ), and the initial value of Ki is bounded by h(Ki ), value βi is a commitment of correct di,SEM . Now consider the case of the first signature being invalid. First, the ID-card is checked: it reveals all values received: Ki , as well as received di,u , i = 1, . . . , t. Next, raising μ to power ( ti=1 di,u )+ ti=1 (−1)i ·GEN (Ki ) is repeated to check if partial signature su was correct. If it was, it is obvious that at least one sub-SEM behaved maliciously. All d˜i must be revealed, and integers di,SEM = d˜i − di,u are calculated. Having di,SEM and Ki it is easy to check correctness of each exponentiation μαi mod N .
6 Implementation Recommendations Hash Functions. Taking into account security aspects of long-term certificates used for digital signatures a hash function h used to make digests h(m) should have longterm collision resistance. Therfore we propose to use the zipper hash construction [31], which utilizes two hash functions that are feed with the same message. To harden the zipper hash against general techniques described in [32], we propose to use as the first hash function some non-iterative one, e.g. a hash function working analogously to MD6, when MD6’s optional, mode control parameter L is greater than 27 (see Sect. 2.4.1 in [33]) – note that L = 64 by default.
Digital Signatures for e-Government
267
RSA. It is advisable that modulus N of the RSA algorithm be a product of two strong primes [22]. Let us assume that the adversary succeeded in factorizing N into q and p. We do not want him to be able to gain any knowledge on the sum (1), that is indirectly on outputs of GEN (Ki ) for i = 1, . . . , t. However, if p − 1 or q − 1 has a large smooth divisor, then by applying Pohling-Hellman algorithm he might be able to recover the value of sum (1) modulo the smooth divisor. Here “smooth” depends on adversary’s computational power, but if p, q are of the form 2p + 1, 2q + 1, respectively, where p , q are prime, then the smooth divisors for this case equal two only. Additionally, if the card and all the sub-SEMi unset the least significant bit of GEN (Ki ) then the output of the generator will not be visible in the subgroups of order two. In order to learn anything about (1), the adversary needs to perform an attack on discrete logarithm problem in the subgroup of large prime order (i.e. p or q ). A single value does not bring much information and the same calculations must be carried out for many other intercepted signatures in order to launch cryptanalysis recovering keys Ki . Elliptic Curves. The elliptic curve for the inner signature should have embedding degree ensuring at least 128-bit security (cf. [34]). Note that the security of the inner signature may not be entirely independent of the security of RSA – a progress made in attacks utilizing GNFS may have serious impact on index calculations (see last paragraph on p. 29 of online version [35]). Meanwhile, using pairing we need to take into account the fact, that the adversary may try to attack the discrete logarithm problem in the field in which verification of the inner signature takes place. Therefore we recommend a relatively high degree of security for the inner signature (see that according to Table 7.2 from [36], 128-bit security is achieved by RSA for 3248-bit modulus N , and such long N could distinctly slow down calculations done on the side of a smart card). The proposed nested signature scheme with the zipper hash construction, extended with the secret keys shared between the card and sub-SEMs used for altering the exponent, and the SEM hash-signature under a timestamp, taken together increase the probability of outlasting the crypto analytical efforts of the (alleged) adversary. We hope that on each link (card → SEM, SEM → finalized signature with a timestamp) at least one out of three safeguards will last. 6.1 Resources and Logistics If the computational and communication costs of distributed computation of strong RSA keys are prohibitively big to use this method on a large scale, one could consider the following alternative solution. Suppose there is a dealer who generates the RSA keys and splits each of them into parts that are distributed to the card and a number of sub-SEMs. When parts of the key are distributed, the dealer destroys its copy of the key. Assume that the whole procedure of keys generation and secret exponents partition is deterministic, dependent of a random seed that is distributively generated by the dealer and sub-SEMs. For the purpose of verification for each key the parties must first commit to the shares of the seed they generated for that key. Next, some portion of the keys produced by the dealer as well as the partition of the secret exponents undergo a verification against commited shares of the seed. The verified values are destroyed afterwards.
268
P. Bła´skiewicz, P. Kubiak, and M. Kutyłowski
The BLS key should be generated as described in Subsect. 3, necessarily before the RSA key is distributed. Furthermore, each sub-SEMi generates its own secret key Ki to be used for altering the exponent, and sends it to the card (each sub-SEMi should generate Ki before it has obtained its part of the RSA exponent). One of the sub-SEMs or a separate entity designated for timestamping, generates its public key for timestamp signing (also before the RSA key is distributed). Note that this way there are components of the protocol beyond the influence of the trusted dealer (the same applies to each of the sub-SEMs). Another issue are resources of the platform on which the system is implemented on signer’s side. If the ID-card does not allow to generate the additional, inner signature efficiently, when the non-CRT implementation of RSA signatures must be executed, HMAC [37] function might be used as a source of a salt for the EMSA-PSS encoding. Let KMAC be a key shared by the ID-card and one of the sub-SEM’s, say sub-SEMj . To generate a signature under message’s digest h(m), salt = HMAC(h(m), KMAC ) is calculated by the ID-card, and the signature generation on the user’s side proceeds further as described above. On the SEM’s side, after finalization of the RSA signature the EMSA-PSS encoding value μ is verified. The sub-SEMj possessing KMAC can now check validity of salt. Note that KMAC might evolve as keys Ki do, and KMAC might be used instead of Kj (thus one key might be dropped from Eq. (1)). In case of key-evolution the initial value of KMAC should also be stored by sub-SEMj , to facilitate a possible investigation. If BLS is replaced by HMAC, then a more space-efficient encoding function [38] may be used instead of EMSA-PSS. The scheme uses a single bit value produced by a pseudorandom number generator on the basis of a secret key (the value is duplicated by the encoding function). Thus this bit value might be calculated from HMAC(h(m), KMAC ). Note that also in this case the evolution of KMAC is enough to detect the fact that ID-card has been cloned, even if other keys Ki from (1) are not used in the system: usually a pseudorandom sequence and its shift differ every few possitions. Yet another aspect that influences the system is the problem of trusted communication channels between the dealer and the card, and between each sub-SEM and the card. If these are cryptographic (remote) channels, then, above all, security of the whole system will depend on the security of the cipher in use. Moreover, if a public-key cipher is to be used, the question remains as to who is going to generate the public key (and the corresponding secret key) of the card? It should not be the card itself, neither its manufacturer. If, on the other hand, a symmetric cipher was used, then how to deliver the key to the card remains an open question. A distinct symmetric key is needed on the card for each sub-SEM and, possibly, for the dealer. Therefore (above all, in order to eliminate the dependence of the signing schemes from the cipher scheme(s)), the best solution would be to transfer the secret data into the card directly on site where the data is generated (i.e. at the possible dealer and all the subsequent sub-SEMs). Such a solution can have its influence on the physical location of sub-SEMs and/or means of transportation of the cards. Final Remarks In this paper we have shown that a number of practical threats for PKI infrastructures can be avoided. In this way we can address most of the technical and legal challenges
Digital Signatures for e-Government
269
for proof value of electronic signatures. Moreover, our solutions are obtained by crytpographic means, so they are independent from hardware security mechanisms, which are hard to evaluate by parties having no sufficient technical insight. In contrast, our cryptographic solutions against hardware problems are platform independent and selfevident.
References 1. Young, A., Yung, M.: The dark side of “Black-box” cryptography, or: Should we trust capstone? In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 89–103. Springer, Heidelberg (1996) 2. Young, A., Yung, M.: The prevalence of kleptographic attacks on discrete-log based cryptosystems. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 264–276. Springer, Heidelberg (1997) 3. Young, A.L., Yung, M.: A timing-resistant elliptic curve backdoor in RSA. In: Pei, D., Yung, M., Lin, D., Wu, C. (eds.) Inscrypt 2007. LNCS, vol. 4990, pp. 427–441. Springer, Heidelberg (2008) 4. Young, A., Yung, M.: A space efficient backdoor in RSA and its applications. In: Preneel, B., Tavares, S. (eds.) SAC 2005. LNCS, vol. 3897, pp. 128–143. Springer, Heidelberg (2006) 5. Young, A., Yung, M.: An elliptic curve backdoor algorithm for RSASSA. In: Camenisch, J.L., Collberg, C.S., Johnson, N.F., Sallee, P. (eds.) IH 2006. LNCS, vol. 4437, pp. 355–374. Springer, Heidelberg (2007) 6. Boneh, D., Ding, X., Tsudik, G., Wong, C.M.: A method for fast revocation of public key certificates and security capabilities. In: SSYM 2001: Proceedings of the 10th Conference on USENIX Security Symposium, p. 22. USENIX Association, Berkeley (2001) 7. Tsudik, G.: Weak forward security in mediated RSA. In: Cimato, S., Galdi, C., Persiano, G. (eds.) SCN 2002. LNCS, vol. 2576, pp. 45–54. Springer, Heidelberg (2003) 8. Boneh, D., Ding, X., Tsudik, G.: Fine-grained control of security capabilities. ACM Trans. Internet Techn. 4(1), 60–82 (2004) 9. Bellare, M., Sandhu, R.: The security of practical two-party RSA signature schemes. Cryptology ePrint Archive, Report 2001/060 (2001) 10. Coppersmith, D., Coron, J.S., Grieu, F., Halevi, S., Jutla, C.S., Naccache, D., Stern, J.P.: Cryptanalysis of ISO/IEC 9796-1. J. Cryptology 21(1), 27–51 (2008) 11. Coron, J.S., Naccache, D., Tibouchi, M., Weinmann, R.P.: Practical cryptanalysis of ISO/IEC 9796-2 and EMV signatures. Cryptology ePrint Archive, Report 2009/203 (2009) 12. RSA Laboratories: PKCS#1 v2.1 — RSA Cryptography Standard + Errata (2005) 13. Jonsson, J.: Security proofs for the RSA-PSS signature scheme and its variants. Cryptology ePrint Archive, Report 2001/053 (2001) 14. Boneh, D., Lynn, B., Shacham, H.: Short signatures from the Weil pairing. J. Cryptology 17(4), 297–319 (2004) 15. Zhang, F., Safavi-Naini, R., Susilo, W.: An efficient signature scheme from bilinear pairings and its applications. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 277–290. Springer, Heidelberg (2004) 16. Buchmann, J., Dahmen, E., Klintsevich, E., Okeya, K., Vuillaume, C.: Merkle signatures with virtually unlimited signature capacity. In: Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp. 31–45. Springer, Heidelberg (2007) 17. Kubiak, P., Kutyłowski, M., Lauks-Dutka, A., Tabor, M.: Mediated signatures - towards undeniability of digital data in technical and legal framework. In: 3rd Workshop on Legal Informatics and Legal Information Technology (LIT 2010). LNBIP. Springer, Heidelberg (2010) 18. Boneh, D., Franklin, M.: Efficient generation of shared RSA keys. J. ACM 48(4), 702–722 (2001)
270
P. Bła´skiewicz, P. Kubiak, and M. Kutyłowski
19. Malkin, M., Wu, T.D., Boneh, D.: Experimenting with shared generation of RSA keys. In: NDSS. The Internet Society, San Diego (1999) 20. Frankel, Y., MacKenzie, P.D., Yung, M.: Robust efficient distributed RSA-key generation. In: PODC, vol. 320 (1998) 21. Gilboa, N.: Two party RSA key generation (Extended abstract). In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 116–129. Springer, Heidelberg (1999) 22. Algesheimer, J., Camenisch, J., Shoup, V.: Efficient computation modulo a shared secret with application to the generation of shared safe-prime products. Cryptology ePrint Archive, Report 2002/029 (2002) 23. MacKenzie, P.D., Reiter, M.K.: Delegation of cryptographic servers for capture-resilient devices. Distributed Computing 16(4), 307–327 (2003) 24. Coron, J.S., Icart, T.: An indifferentiable hash function into elliptic curves. Cryptology ePrint Archive, Report 2009/340 (2009) 25. Coron, J.-S.: On the Exact Security of Full Domain Hash. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 229–235. Springer, Heidelberg (2000) 26. Coron, J.-S., Joux, A., Kizhvatov, I., Naccache, D., Paillier, P.: Fault attacks on RSA signatures with partially unknown messages. In: Clavier, C., Gaj, K. (eds.) CHES 2009. LNCS, vol. 5747, pp. 444–456. Springer, Heidelberg (2009) 27. Coron, J.-S., Naccache, D., Tibouchi, M.: Fault attacks against EMV signatures. In: Pieprzyk, J. (ed.) CT-RSA 2010. LNCS, vol. 5985, pp. 208–220. Springer, Heidelberg (2010) 28. Barker, E., Kelsey, J.: Recommendation for random number generation using deterministic random bit generators (revised). NIST Special Publication 800-90 (2007) 29. Shumow, D., Ferguson, N.: On the possibility of a back door in the NIST SP800-90 Dual EC Prng (2007), http://rump2007.cr.yp.to/15-shumow.pdf 30. Infineon Technologies AG: Chip Card & Security: SLE 66CLX800PE(M) Family, 8/16-Bit High Security Dual Interface Controller For Contact based and Contactless Applications (2009) 31. Liskov, M.: Constructing an ideal hash function from weak ideal compression functions. In: Biham, E., Youssef, A.M. (eds.) SAC 2006. LNCS, vol. 4356, pp. 358–375. Springer, Heidelberg (2007) 32. Joux, A.: Multicollisions in iterated hash functions. Application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004) 33. Rivest, R.L., Agre, B., Bailey, D.V., Crutchfield, C., Dodis, Y., Elliott, K., Khan, F.A., Krishnamurthy, J., Lin, Y., Reyzin, L., Shen, E., Sukha, J., Sutherland, D., Tromer, E., Yin, Y.L.: The MD6 hash function. a proposal to NIST for SHA-3 (2009) 34. Granger, R., Page, D.L., Smart, N.P.: High security pairing-based cryptography revisited. In: Hess, F., Pauli, S., Pohst, M. (eds.) ANTS 2006. LNCS, vol. 4076, pp. 480–494. Springer, Heidelberg (2006) 35. Lenstra, A.K.: Key lengths. In: The Handbook of Information Security, vol. 2, Wiley, Chichester (2005), http://www.keylength.com/biblio/Handbook_of_ Information_Security_-_Keylength.pdf 36. Babbage, S., Catalano, D., Cid, C., de Weger, B., Dunkelman, O., Gehrmann, C., Granboulan, L., Lange, T., Lenstra, A., Mitchell, C., Näslund, M., Nguyen, P., Paar, C., Paterson, K., Pelzl, J., Pornin, T., Preneel, B., Rechberger, C., Rijmen, V., Robshaw, M., Rupp, A., Schläffer, M., Vaudenay, S., Ward, M.: ECRYPT2 yearly report on algorithms and keysizes (2008-2009) (2009) 37. Krawczyk, H., Bellare, M., Canetti, R.: HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Informational) (1997) 38. Qian, H., Li, Z.-b., Chen, Z.-j., Yang, S.: A practical optimal padding for signature schemes. In: Abe, M. (ed.) CT-RSA 2007. LNCS, vol. 4377, pp. 112–128. Springer, Heidelberg (2006)
SQL Injection Defense Mechanisms for IIS+ASP+MSSQL Web Applications Beihua Wu* East China University of Political Science and Law, 555 Longyuan Road, Shanghai, China, 201620 [email protected]
Abstract. With the sharp increase of hacking attacks over the last couple of years, web application security has become a key concern. SQL injection is one of the most common types of web hacking and has been widely written and used in the wild. This paper analyzes the principle of SQL injection attacks on Web sites, presents methods available to prevent IIS+ASP+MSSQL web applications from these kinds of attacks, including secure coding within the web application, proper database configuration, deployment of IIS and other security techniques. The result is verified by WVS report. Keywords: SQL Injection, Web sites, Security, Cybercrime.
1
Introduction
Together with the development of computer network and the advent of e-business (such as E-trade, cyber-banks, etc.) cybercrime continues to soar. The number of cyber attacks is doubling each year, aided by more and more skilled hackers and increasing easy-to-use hacking tools, as well as the fact that system and network administrators are exhausted and have inadequately trained. SQL injection is one of the most common types of web hacking and has been widely written and used in the wild. SQL injection attacks represent a serious threat to any database-driven sites and result in a great number of losses. This paper analyzes the principle of SQL injection attacks on Web sites, presents methods available to prevent IIS+ASP+MSSQL web applications from the attacks and implement those in practice. Finally, we draw the conclusions.
2
The Principle of SQL Injection
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application [1]. If user input, which is embedded in SQL statements, is incorrectly filtered for escape characters, attackers will take advantage of the present vulnerability. SQL injection exploit can allow attackers to obtain unrestricted access to the database, read sensitive data from the database, modify database data, and in some cases issue commands to the operating system. *
Academic Field: Network Security, Information Technology.
X. Lai et al. (Eds.): E-Forensics 2010, LNICST 56, pp. 271–276, 2011. © Institute for Computer Sciences, Social Informatics and Telecommunications Engineering 2011
272
B. Wu
The multistep of SQL injection attack is as follows: 2.1
Finding Vulnerable Pages
In the first, try to look for pages that allow you to submit data, such as login pages with authentication forms, pages with search engines, feedback pages, etc. In general, Web pages use post or get command to send parameters to another ASP page. These pages include has potential parameters that might be vulnerable [2]. You may find something like this in codes: Sometimes, you may not see the input box on the page directly, as the type of can be set to hidden. However, the vulnerability is still present. On the other hand, if you can't find any